New Standards and ‘Shadow Process’ Risk

In the cybersecurity world, executives worry constantly about “shadow IT”—the risk that employees will implement their own IT systems via the cloud without telling anyone, therefore exposing the company to unknown security risks.

Here at The Exchange Community, as I listen to discussions of new accounting standards for revenue recognition and leasing, I see a similar risk emerging for accounting and audit executives: shadow process.

Let’s start with the new standards themselves. The new revenue standard (going into effect for periods beginning on or after Dec. 15, 2017) deconstructs business transactions into a series of performance obligations to be fulfilled. As each obligation is fulfilled, you can recognize that portion of total revenue for the whole transaction.

The leasing standard (going into effect for periods beginning on or after Dec. 15, 2018) will require companies to list the cost of operating leases as liabilities on the balance sheet. Companies currently report them only in the footnotes, even though for some companies, those future leasing costs can be larger than all other liabilities combined.

Both of these standards, really, are about contract management.

In that case, the real risk isn’t that the new standards will cause material change to your financial statements. (Although for a minority of companies, a material change will happen.) For most companies, the real risk is that you won’t have a single process to manage all the leasing or revenue activity happening in your business.

Somebody, somewhere in your enterprise, might set up a shadow process and not tell you about it. Maybe you won’t discover that shadow leasing activity until days before you need to file the 10-Q. Or maybe your auditor won’t accept your process for managing revenue or leasing activity. You won’t, as we touched upon in yesterday’s post, have complete and accurate reports of what’s going on.

When the SEC Professionals Group met on Wednesday morning to talk about implementing the new standards, that risk of shadow process was the subtext of almost the entire conversation. As one speaker said of the leasing standard, “We have leasing software for the stuff we know about … we do worry about those places where leases are hiding.” Another: “We need to have a process to connect down to other departments.”

Nor is this something that corporate financial reporting staff can delay. For example, the leasing standard won’t show up in an SEC filing until early 2019—but companies will need to present three years of financial data in that 2019 report. So even now, in 2017, the urgency is there to understand how departments in your business are generating leasing costs today.

Indeed, the leasing standard might be the better example of the risk of “shadow process” than revenue recognition because so many more people within an organization can incur leasing costs. So, does the company have enterprise-wide policies for who can incur leasing obligations? Do the leases you sign capture required data about dates, payment terms, renewal clauses, and so forth? Do you have a policy about embedded leases, where leasing costs are part of a larger transaction? (For example, you purchase fuel from a supplier that leases you the delivery tank, but the leasing cost for the tank isn’t specified in the entire purchase contract.)

Corporate financial departments can combat shadow process with vigorous policy management and training. Yes, you might also be able to fight the problem with controls to block certain leasing transactions employees try to put on a payment card—but that’s not enough. Some assistant vice president might sign a lease contract and omit key details in an invoice, so it isn’t tagged as such. Someone might rent services on the cloud using his personal credit card and expense it.

The bottom line is that in today’s world, evading controls has never been easier—and every evasion an employee cooks up is, really, another shadow process. The best way to prevent employees from using a shadow process is to train, remind, coax, and hector them not to avoid the authorized process in the first place.

It’s something to think about, the next time you get an email encouraging you to sign up for the premium level of that free online service you’re using at work.

(Today’s item is cross-posted from the Workiva blog. You can view the original post there. Look for more dispatches from the 2017 Wdesk user conference all week!)

Leave a Comment

You must be logged in to post a comment.