Skip to Main Content

blogpost

New revenue recognition rules: Evaluating the impact on manufacturers

06.25.18

For over four years the business community has been discussing the impact Accounting Standards Codification (ASC) 606, Revenue from Contracts with Customers, will have on financial reporting. As you evaluate the impact this standard will have on a manufacturers’ financial reporting practices, there are certain provisions of ASC 606 you should consider.

Then: Prior to ASC 606, manufacturers generally recognize revenue when persuasive evidence of an arrangement exists, delivery has occurred, the fees are fixed or determinable, and collection is reasonably assured. For most, this typically occurs when a product ships and the title to the product transfers to the customer.

Now: Under ASC 606, effective for annual reporting periods beginning after December 15, 2018 for non-public entities (December 15, 2017 for public entities), an entity should recognize revenue to depict the transfer of promised goods or services to customers in an amount that reflects the consideration to which the entity expects to be entitled in exchange for those goods or services. Under this core principle, an entity should:

  1. Identify its contracts with its customers,
  2. Identify performance obligations (promises) in the contract,
  3. Determine the transaction price,
  4. Allocate the transaction price to the performance obligations in the contract; and
  5. Recognize revenue when (or as) the entity satisfies the performance obligation. 

Who does it impact, and how?

For some manufacturers, ASC 606 will not impact their financial reporting practices since they satisfy their performance obligation when the product is shipped and the title has transferred to the customer. However, entities who manufacture highly specialized products may be required to recognize revenue over time if the entity’s performance creates an asset without an alternative use to the entity, and the entity has an enforceable right to compensation for performance completed to date.

Limitations

To determine if a product has an alternative use, the entity must assess whether it is restricted contractually from redirecting the asset for another use during production, or if there are practical limitations on the entity’s ability to redirect the product for another use. A contractual limitation must be substantive for it to be determined to not have an alternative use, e.g., the customer can enforce rights for delivery of the product. A restriction is not substantive if the product is largely interchangeable with other products the entity could transfer between customers without incurring a significant loss.

A practical limitation exists if the entity’s ability to redirect the product for another use results in significant economic losses, either from significant rework costs or having to sell the product at a loss. The alternative use assessment should be done at contract inception based on the product in its completed state, and not during the production process. Therefore, the point in time during production when a product becomes customized and not generic is irrelevant. If it is determined there is no alternative use, the entity has satisfied this criterion and must evaluate its enforceable right to compensation for performance completed to date.

Definitions and Distinctions

ASC 606 defines a contract as “an agreement between two or more parties that creates enforceable rights and obligations”. Accordingly, the definition of a contract may include, but not be limited to, a Purchase Order, Agreement for the Sale of Goods, Bill of Sale, Independent Contractor Agreement, etc. In applying this definition to business operations and revenue recognition, an entity must consider its individual business practices, and possibly individual customer arrangements in determining enforceability.

Once it is determined that the entity has an enforceable right to a payment, the amount of payment must also be considered. The amount that would “compensate” an entity for performance to date should be the estimated selling price of the goods or services transferred to date (for example, recovery of costs incurred plus a reasonable profit margin) rather than compensation for only the entity’s potential loss of profit if the contract were to be terminated. Accordingly, a payment that only covers the entity’s costs incurred to date or for the entity’s potential loss of profit if the contract was terminated does not allow for the recognition of revenue over time.

Compensation for a reasonable profit margin need not equal the profit margin expected if the contract was fulfilled as promised. Once the “enforceable right to compensation for performance completed to date” requirement has been met, an entity will then assess the appropriate method of recognizing revenue over a period of time using input or output methods, as provided under ASC 606.

For manufacturers of highly specialized products there may not be a simple answer for determining appropriate revenue recognition policies for each customer contract and evaluating the impact can be a challenging endeavor.

Next steps

If you would like guidance in analyzing the impact ASC 606 will have on a manufacturer’s financial reporting practices, including the potential impact it may have on bank covenants, borrowing base calculations, etc., please contact one of our dedicated commercial industry practice professionals.
 

Related Industries

A version of this article was previously published on the Massachusetts Nonprofit Network

Editor’s note: while this blog is not technical in nature, you should read it if you are involved in IT security, auditing, and management of organizations that may participate in strategic planning and business activities where considerations of compliance and controls is required.

As we find ourselves in a fast-moving, strong business growth environment, there is no better time to consider the controls needed to enhance your IT security as you implement new, high-demand technology and software to allow your organization to thrive and grow. Here are five risks you need to take care of if you want to build or maintain strong IT security.

1. Third-party risk management―It’s still your fault

We rely daily on our business partners and vendors to make the work we do happen. With a focus on IT, third-party vendors are a potential weak link in the information security chain and may expose your organization to risk. However, though a data breach may be the fault of a third-party, you are still responsible for it. Potential data breaches and exposure of customer information may occur, leaving you to explain to customers and clients answers and explanations you may not have. 

Though software as a service (SaaS) providers, along with other IT third-party services, have been around for well over a decade now, we still neglect our businesses by not considering and addressing third-party risk. These third-party providers likely store, maintain, and access company data, which could potentially contain personally identifiable information (names, social security numbers, dates of birth, addresses), financial information (credit cards or banking information), and healthcare information of your customers. 

While many of the third-party providers have comprehensive security programs in place to protect that sensitive information, a study in 2017 found that 30% of data breaches were caused by employee error or while under the control of third-party vendors.1  This study reemphasizes that when data leaves your control, it is at risk of exposure. 

In many cases, procurement and contracting policies likely have language in contracts that already establish requirements for third-parties related to IT security; however the enforcement of such requirements and awareness of what is written in the contract is not enforced or is collected, put in a file, and not reviewed. What can you do about it?

Improved vendor management

It is paramount that all organizations (no matter their size) have a comprehensive vendor management program that goes beyond contracting requirements in place to defend themselves against third-party risk which includes:

  1. An inventory of all third-parties used and their criticality and risk ranking. Criticality should be assigned using a “critical, high, medium or low” scoring matrix. 
  2. At time of onboarding or RFP, develop a standardized approach for evaluating if potential vendors have sufficient IT security controls in place. This may be done through an IT questionnaire, review of a Systems and Organization Controls (SOC report) or other audit/certifications, and/or policy review. Additional research may be conducted that focuses on management and the company’s financial stability. 
  3. As a result of the steps in #2, develop a vendor risk assessment using a high, medium and low scoring approach. Higher risk vendors should have specific concerns addressed in contracts and are subject to more in depth annual due diligence procedures. 
  4. Reporting to senior management and/or the board annually on the vendors used by the organization, the services they perform, their risk, and ways the organization monitors the vendors. 

2. Regulation and privacy laws―They are coming 

2018 saw the implementation of the European Union’s General Data Privacy Regulation (GDPR) which was the first major data privacy law pushed onto any organization that possesses, handles, or has access to any citizen of EU’s personal information. Enforcement has started and the Information Commissioner’s Office has begun fining some of the world’s most famous companies, including substantial fines to Marriott International and British Airways of $125 million and $183 million Euros, respectively.2  Gone are the days where regulations lacked the teeth to force companies into compliance. 

With thanks to other major data breaches where hundreds of millions’ consumers private information was lost or obtained (e.g., Experian), more regulation is coming. Although there is little expectation of an American federal requirement for data protection, individual states and other regulating organizations are introducing requirements. Each new regulation seeks to protect consumer privacy but the specifics and enforcement of each differ. 

Expected to be most impactful in 2019 is the California Consumer Privacy Act,  which applies to organizations that handle, collect, or process consumer information and do business in the state of California (you do not have to be located in CA to be under the umbrella of enforcement).

In 2018, Maine passed the toughest law on telecommunications providers for selling consumer information. Massachusetts’ long standing privacy and data breach laws were amended with stronger requirements in January of 2019. Additional privacy and breach laws are in discussion or on the table for many states including Colorado, Delaware, Ohio, Oregon, Ohio, Vermont, and Washington, amongst others.      

Preparation and awareness are key

All organizations, no matter your line of business must be aware of and understand current laws and proposed legislation. New laws are expected to not only address the protection of customer data, but also employee information. All organizations should monitor proposed legislation and be aware of the potential enforceable requirements. The good news is that there are a lot of resources out there and, in most cases, legislative requirements allow for grace periods to allow organizations to develop a complete understanding of proposed laws and implement needed controls. 

3. Data management―Time to cut through the clutter 

We all work with people who have thousands of emails in their inbox (in some cases, dating back several years). Those users’ biggest fears may start to come to fruition―that their “organizational” approach of not deleting anything may come to an end with a simple email and data retention policy put in place by their employer. 

The amount of data we generate in a day is massive. Forbes estimates that we generate 2.5 quintillion bytes of data each day and that 90% of all the world’s data was generated in the last two years alone.3 While data is a gold mine for analytics and market research, it is also an increasing liability and security risk. 

Inc. Magazine says that 73% of the data we have available to us is not used.4 Within that data could be personally identifiable information (such as social security numbers, names, addresses, etc.); financial information (bank accounts, credit cards etc.); and/or confidential business data. That data is valuable to hackers and corporate spies and in many cases data’s existence and location is unknown by the organizations that have it. 

In addition to the security risk that all this data poses, it also may expose an organization to liability in the event of a lawsuit of investigation. Emails and other communications are a favorite target of subpoenas and investigations and should be deleted within 90 days (including deleted items folders). 

Take an inventory before you act

Organizations should first complete a full data inventory and understand what types of data they maintain and handle, and where and how they store that data. Next, organizations can develop a data retention policy that meets their needs. Utilizing backup storage media may be a solution that helps reduce the need to store and maintain a large amount of data on internal systems. 

4. Doing the basics right―The simple things work 

Across industries and regardless of organization size, the most common problem we see is the absence of basic controls for IT security. Every organization, no matter their size, should work to ensure they have controls in place. Some must-haves:

  • Established IT security policies
  • Routine, monitored patch management practices (for all servers and workstations)
  • Change management controls (for both software and hardware changes)
  • Anti-virus/malware on all servers and workstations
  • Specific IT security risk assessments 
  • User access reviews
  • System logging and monitoring 
  • Employee security training

Go back to the basics 

We often see organizations that focus on new and emerging technologies, but have not taken the time to put basic security controls in place. Simple deterrents will help thwarting hackers. I often tell my clients a locked car scares away most ill-willed people, but a thief can still smash the window.  

Smaller organizations can consider using third-party security providers, if they are not able to implement basic IT security measures. From our experience, small organizations are being held to the same data security and privacy expectations by their customers as larger competitors and need to be able to provide assurance that controls are in place.  

5. Employee retention and training 

Unemployment rates are at an all-time low, and the demand for IT security experts at an all-time high. In fact, Monster.com reported that in 2019 the unemployment rate for IT security professionals is 0%.5 

Organizations should be highly focused on employee retention and training to keep current employees up-to-speed on technology and security trends. One study found that only 15% of IT security professionals were not looking to switch jobs within one year.6  

Surprisingly, money is not the top factor for turnover―68% of respondents prioritized working for a company that takes their opinions seriously.6 

For years we have told our clients they need to create and foster a culture of security from the top down, and that IT security must be considered more than just an overhead cost. It needs to align with overall business strategy and goals. Organizations need to create designated roles and responsibilities for security that provide your security personnel with a sense of direction―and the ability to truly protect the organization, their people, and the data. 

Training and support goes a long way

Offering training to security personnel allows them to stay abreast of current topics, but it also shows those employees you value their knowledge and the work they do. You need to train technology workers to be aware of new threats, and on techniques to best defend and protect from such risks. 

Reducing turnover rate of IT personnel is critical to IT security success. Continuously having to retrain and onboard employees is both costly and time-consuming. High turnover impacts your culture and also hampers your ability to grow and expand a security program. 

Making the effort to empower and train all employees is a powerful way to demonstrate your appreciation and support of the employees within your organization—and keep your data more secure.  

Our IT security consultants can help

Ensuring that you have a stable and established IT security program in place by considering the above risks will help your organization adapt to technology changes and create more than just an IT security program, but a culture of security minded employees. 

Our team of IT security and control experts can help your organization create and implement controls needed to consider emerging IT risks. For more information, contact the team
 

Sources:
[1] https://iapp.org/news/a/surprising-stats-on-third-party-vendor-risk-and-breach-likelihood/  
[2] https://resources.infosecinstitute.com/first-big-gdpr-fines/
[3] https://www.forbes.com/sites/bernardmarr/2018/05/21/how-much-data-do-we-create-every-day-the-mind-blowing-stats-everyone-should-read/#458b58860ba9
[4] https://www.inc.com/jeff-barrett/misusing-data-could-be-costing-your-business-heres-how.html
[5] https://www.monster.com/career-advice/article/tech-cybersecurity-zero-percent-unemployment-1016
[6] https://www.securitymagazine.com/articles/88833-what-will-improve-cyber-talent-retention

Blog
Five IT risks everyone should be aware of

Editor’s note: read this if you are a Maine business owner or officer.

New state law aligns with federal rules for partnership audits

On June 18, 2019, the State of Maine enacted Legislative Document 1819, House Paper 1296, An Act to Harmonize State Income Tax Law and the Centralized Partnership Audit Rules of the Federal Internal Revenue Code of 1986

Just like it says, LD 1819 harmonizes Maine with updated federal rules for partnership audits by shifting state tax liability from individual partners to the partnership itself. It also establishes new rules for who can—and can’t—represent a partnership in audit proceedings, and what that representative’s powers are.

Classic tunes—The Tax Equity and Fiscal Responsibility Act of 1982

Until recently, the Tax Equity and Fiscal Responsibility Act of 1982 (TEFRA) set federal standards for IRS audits of partnerships and those entities treated as partnerships for income tax purposes (LLCs, etc.). Those rules changed, however, following passage of the Bipartisan Budget Act of 2015 (BBA) and the Protecting Americans from Tax Hikes Act of 2015 (PATH Act). Changes made by the BBA and PATH Act included:

  • Replacing the Tax Matters Partner (TMP) with a Partnership Representative (PR);
  • Generally establishing the partnership, and not individual partners, as liable for any imputed underpayment resulting from an audit, meaning current partners can be held responsible for the tax liabilities of past partners; and
  • Imputing tax on the net audit adjustments at the highest individual or corporate tax rates.

Unlike TEFRA, the BBA and PATH Act granted Partnership Representatives sole authority to act on behalf of a partnership for a given tax year. Individual partners, who previously held limited notification and participation rights, were now bound by their PR’s actions.

Fresh beats—new tax liability laws under LD 1819

LD 1819 echoes key provisions of the BBA and PATH Act by shifting state tax liability from individual partners to the partnership itself and replacing the Tax Matters Partner with a Partnership Representative.

Eligibility requirements for PRs are also less than those for TMPs. PRs need only demonstrate “substantial presence in the US” and don’t need to be a partner in the partnership, e.g., a CFO or other person involved in the business. Additionally, partnerships may have different PRs at the federal and state level, provided they establish reasonable qualifications and procedures for designating someone other than the partnership’s federal-level PR to be its state-level PR.

LD 1819 applies to Maine partnerships for tax years beginning on or after January 1, 2018. Any additional tax, penalties, and/or interest arising from audit are due no later than 180 days after the IRS’ final determination date, though some partnerships may be eligible for a 60-day extension. In addition, LD 1819 requires Maine partnerships to file a completed federal adjustments report.

Partnerships should review their partnership agreements in light of these changes to ensure the goals of the partnership and the individual partners are reflected in the case of an audit. 

Remix―Significant changes coming to the Maine Capital Investment Credit 

Passage of LD 1671 on July 2, 2019 will usher in a significant change to the Maine Capital Investment Credit, a popular credit which allows businesses to claim a tax credit for qualifying depreciable assets placed in service in Maine on which federal bonus depreciation is claimed on the taxpayer's federal income tax return. 

Effective for tax years beginning on or after January 1, 2020, the credit is reduced to a rate of 1.2%. This is a significant reduction in the current credit percentages, which are 9% and 7% for corporate and all other taxpayers, respectively. The change intends to provide fairness to companies conducting business in-state over out-of-state counterparts. Taxpayers continue to have the option to waive the credit and claim depreciation recapture in a future year for the portion of accelerated federal bonus depreciation disallowed by Maine in the year the asset is placed in service. 

As a result of this meaningful reduction in the credit, taxpayers who have historically claimed the credit will want to discuss with their tax advisors whether it makes sense to continue claiming the credit for 2020 and beyond.
 

Blog
Maine tax law changes: Music to the ears, or not so much?

Proposed House bill brings state income tax standards to the digital age

On June 3, 2019, the US House of Representatives introduced H.R. 3063, also known as the Business Activity Tax Simplification Act of 2019, which seeks to modernize tax laws for the sale of personal property, and clarify physical presence standards for state income tax nexus as it applies to services and intangible goods. But before we can catch up on today, we need to go back in time—great Scott!

Fly your DeLorean back 60 years (you’ve got one, right?) and you’ll arrive at the signing of Public Law 86-272: the Interstate Income Act of 1959. Established in response to the Supreme Court’s ruling on Northwestern States Portland Cement Co. v. Minnesota, P.L. 86-272 allows a business to enter a state, or send representatives, for the purposes of soliciting orders for the sale of tangible personal property without being subject to a net income tax.

But now, in 2019, personal property is increasingly intangible—eBooks, computer software, electronic data and research, digital music, movies, and games, and the list goes on. To catch up, H.R. 3063 seeks to expand on 86-272’s protection and adds “all other forms of property, services, and other transactions” to that exemption. It also redefines business activities of independent contractors to include transactions for all forms of property, as well as events and gathering of information.

Under the proposed bill, taxpayers meet the standards for physical presence in a taxing jurisdiction, if they:

  1.  Are an individual physically located in or have employees located in a given state; 
  2. Use the services of an agent to establish or maintain a market in a given state, provided such agent does not perform the same services in the same state for any other person or taxpayer during the taxable year; or
  3. Lease or own tangible personal property or real property in a given state.

The proposed bill excludes a taxpayer from the above criteria who have presence in a state for less than 15 days, or whose presence is established in order to conduct “limited or transient business activity.”

In addition, H.R. 3063 also expands the definition of “net income tax” to include “other business activity taxes”. This would provide protection from tax in states such as Texas, Ohio and others that impose an alternate method of taxing the profits of businesses.

H.R. 3063, a measure that would only apply to state income and business activity tax, is in direct contrast to the recent overturn of Quill Corp. v. North Dakota, a sales and use tax standard. Quill required a physical presence but was overturned by the decision in South Dakota v. Wayfair, Inc. Since the Wayfair decision, dozens of states have passed legislation to impose their sales tax regime on out of state taxpayers without a physical presence in the state.

If enacted, the changes made via H.R. 3063 would apply to taxable periods beginning on or after January 1, 2020. For more information: https://www.congress.gov/bill/116th-congress/house-bill/3063/text?q=%7B%22search%22%3A%5B%22hr3063%22%5D%7D&r=1&s=2
 

Blog
Back to the future: Business activity taxes!

This site uses cookies to provide you with an improved user experience. By using this site you consent to the use of cookies. Please read our Privacy Policy for more information on the cookies we use and how you can manage them.