Proformative presents Moving to the Cloud – Risk, Control, and Accounting Considerations. Special thanks to Jane Lin, Deloitte & Touche LLP.
To download full presentation, visit http://bit.ly/9jwNl2
IIBA® Melbourne - Navigating Business Analysis - Excellence for Career Growth...
Moving to the Cloud – Risk, Control, and Accounting Considerations
1. THE RESOURCE FOR CORPORATE FINANCE, ACCOUNTING & TREASURY PROFESSIONALS
Moving to the Cloud – Risk and
Control Considerations
Jane Lin
Deloitte & Touche LLP
2. This presentation contains general information only and is based on the
experiences and research of Deloitte practitioners. Deloitte is not, by
means of this presentation, rendering business, financial, investment,
accounting, tax, or other professional advice or services. This presentation
is not a substitute for such professional advice or services, nor should it be
used as a basis for any decision or action that may affect your business.
Before making any decision or taking any action that may affect your
business, you should consult a qualified professional advisor. Deloitte, its
affiliates, and related entities shall not be responsible for any loss
sustained by any person who relies on this presentation.
About Deloitte
Deloitte refers to one or more of Deloitte Touche Tohmatsu, a Swiss
Verein, and its network of member firms, each of which is a legally
separate and independent entity. Please see www.deloitte.com/us/about
for a detailed description of the legal structure of Deloitte Touche
Tohmatsu and its member firms. Please see www.deloitte.com/us/about
for a detailed description of the legal structure of Deloitte LLP and its
subsidiaries.
3. Cloud Computing
• Is the cloud the new software?
• Will the evolution of the cloud and
industry competition lead to
accounting complexity similar to
software in the late 1980’s?
• Will there be wider tax implications?
• Will there be added regulatory
scrutiny?
4. Key Drivers for Cloud Computing
• Key cloud computing drivers include lower cost of ownership, speed of
delivery, flexibility, and scalability
• Pay for what you use
• Computing delivered as a
• Repair and maintenance savings
borderless utility
• Software and license purchase
• Applications live in a variety of
savings
locations and data flows across
geographic boundaries • Physical space savings
• Less in-house IT staff required
• Accessibility from
anywhere via Internet • Highly automated, easy/fast
to deploy
• Collaborating/sharing made
easier between disparate
offices, remote workers,
and suppliers
• 24X7 availability to applications and
services
• Ability to combine and create
customized services instantly
• Scalable services and applications
5. What Did the Cloud Bring?
• New business models
• New service offerings
• New capabilities
• Innovation
• Outsourcing
• Relinquishing operational control
• Relinquishing ownership of IT resources
• Effect on companies
• Increased flexibility
• Broader reach
• Faster response time and results
• Reduced time to market
6. Benefits and Advantages
• On demand service accessed through Internet or internal network
• Scalability and elastic capacity
• Resource pooling
• Minimize capital and other upfront costs
• Increase IT agility and flexibility; improved IT service capabilities; faster
innovation cycle with less business interruption
• Reduced overall spending on IT as a result of lower project costs and
fewer IT resources to support new business initiatives. Shifting of
costs to vendor who spread cost across user base
• Reduced IT overcapacity through the use of a “pay-as-you-go” model
requiring fewer data center resources (hardware, space, power) and
reduced maintenance costs and improve cyclical operations
• Enable new business model to take competitive advantage
• Leverage new IT architectures to enable policy-based management of
business and IT
7. Benefits and Advantages
• Accelerate time-to-benefit with reduced
time to start up, implement, and
complete projects
• Optimize resources through the
reallocation of staff to focus on “core”
vs. “non-core” activities
• Indirectly reduce other costs such as
electricity, rent, salaries, and other
overhead
• Easier to maintain and upgrade
8. Challenges
• Unintended effect on
‒ Business models
‒ Accounting and audit
‒ Taxes
‒ Internal controls
‒ Policies and procedures
‒ Corporate governance
‒ Laws and regulations
• Exaggerated claims regarding current and future deliverables
• Data security and privacy
• Data center management
• Regulatory and compliance
• Fast paced, constant changes may lead to quicker obsolescence
• Effective metering of customer usage
• Integration costs and duration
• Integrating SaaS and traditional applications
• Managing and monitoring integration interfaces
9. Accounting and Audit
• Revenue recognition • Cost deferral
‒ Software vs. non-software • Capitalization
‒ Billing model alone, whether utility or • Business combination
subscription basis, does not ‒ On-going performance obligations
necessarily determine revenue
‒ Deferred revenue
recognition
‒ Multiple element arrangements • Adequacy of accounting and audit trail
‒ Hosting arrangements • US GAAP vs. IFRS
‒ Service arrangements
‒ Contract accounting
‒ Milestones
‒ Concessions
‒ Activation fees
‒ Usage-based fees
‒ Discounts
‒ Use it or lose it clauses
10. ASU 2009-13 (Issue 08-1)
ASC 605-25 (Issue 00-21) ASU 2009-13 (Issue 08-1)
Criteria for Separation Criteria for Separation
Delivered element(s) have standalone value Delivered element(s) have standalone value
Undelivered element(s) have objective and
reliable evidence of fair value
If a general right of return exists for delivered If a general right of return exists for delivered
element, performance of the undelivered element, performance of the undelivered
element is probable and in vendor’s control element is probable and in vendor’s control
Allocation Methods Allocation Method
Relative fair value Relative selling price
Residual
11. Selling Price Hierarchy
Must establish the selling price at inception of an arrangement for ALL
deliverables in an arrangement whether delivered or undelivered
Must use if it exists and if it
is obtainable without
undue cost and effort
VSOE Vendor-Specific
Objective Evidence
If VSOE does not exist, use
TPE if it exists and if it is Third-Party
obtainable without undue TPE Evidence
cost and effort
Can use only if VSOE and
TPE do not exist – new Estimated Selling
concept under ASU 2009- ESP Price
13 (Issue 08-1)
12. Implementation Issues – Standalone Value
• A deliverable has standalone value to the customer if
− Sold separately by any vendor
− Customer could resell item on a standalone basis (the existence of an
observable market is not required)
• Previously less of a focus in multiple-element arrangements because
fair value threshold was a more common barrier to separation
• Not an assessment under software guidance
13. Implementation Issues – Deliverables
• Identification of deliverables in an arrangement
‒ Issue 08-1 does not change requirement to identify all deliverables in an
arrangement
‒ Need to know all of the deliverables in order to accurately allocate selling
price
• Definition of a deliverable
‒ Not defined
‒ Consider the following:
• Distinct action required
• Exclusion or inclusion would cause arrangement fee to vary significantly
• Failure to deliver results in a refund or penalty
• Each performance obligation, including those ancillary to the primary product and
those with no explicit monetary value
• Essential to functionality of other products or services
• Inconsequential or perfunctory
‒ Not a concept for software
14. Example – Delivery of Products and
Services
ASC 505-25 (Issue 00-21) ASU 2009-13 (Issue 08-1)
Delivered Products Delivered Products
VSOE exists VSOE exists
Undelivered Services Undelivered Services
No VSOE No VSOE
No TPE No TPE
Estimated selling price exists Estimated selling price exists
1 unit 2 units
(Use of estimated selling price (Use of estimated selling price
is not allowed; therefore, is allowed; therefore,
cannot separate) separate)
1.5
15. Taxes
– Classification (i.e., service, sale, rent; perhaps a bundled package)
– Taxable presence – the “what, where, and how”
• What activities take place in any given geography?
• Where and how does contracting and delivery take place?
• How are the operations structured, e.g., entities, branches?
– Different rules for different types of tax (i.e., income, transaction, withholding)
Domestic income tax issues Local country tax issues
• Revenue recognition – Structure of business • Permanent establishment – Local country
and characterization of transactions income tax, core business functions vs.
• Foreign tax credits – Source of income, preparatory and auxiliary
characterization, and credits • Characterization – Withholding tax or
• Withholding tax services tax; treaty relief?
• Nexus – Income and sales and use tax • Transactional tax – B-2-B, or B-2-C?
• Apportionment – Tangible personal property Services provided in country?
destination` • Transfer pricing – Also applies to U.S. and
multistate income tax
16. Internal Controls
• Integration of different technologies
• Data security, access controls, and confidentiality
• Who owns the data? How are they being used? Are controls in place?
• How is security achieved? What is the level of privacy protection?
• Any small incident may have exponential consequences for all provider’s customers
• Are there risk management controls to applications and data?
• Data availability and reliability
• User control over services, resources, and information
• Data centralization may simplify regulatory concerns but may lead to potential
“single points of failure”
• Regular location changes or data residing on multiple locations may result in
increased regulatory scrutiny with data transfer across borders
• Risk assessment
• Policies and procedures
• On-going monitoring
• A need for more sophisticated corporate governance
17. Internal Controls
• Sufficiency of back up, business continuity, data retention, and disaster
recovery
• A need to specify desired security levels in contract terms
• A need for cloud providers/vendors to offer a higher degree of
protection and transparency to customers
• Users should request from vendors the evidence of compliance with
regulations (general civil law, contract law, consumer protection law, e-
commerce regulation, fair trade practice law) and generally accepted
standards (PCI DSS, ISO27001).
• Users may conduct audits of vendor controls, request vendor to
provide service auditor (SAS 70) reports, or request vendor to hold
security accreditations
• Security controls users would like the vendors to adopt may be beyond
the controls inherent to the cloud platform
• Any new internal control requirements may increase cost
18. Regulatory Considerations
• Regulatory considerations such as SOX and HIPAA
• Blurred relationship between data and geographic location
• Where is the actual physical location and which privacy rules apply?
• Careful planning of cross-border nature of cloud computing can help
minimize regulatory, tax, accounting, and audit issues
• Compliance with local regulatory and legal requirements
• Potential new laws and regulations
19. What We Are Seeing
• Companies establish multiple business models and segments early on
• Certain industries are slower to adopt (e.g., health care, insurance industries)
• Multiple product and service offerings and complex organizational structure
• Focus is on expanding business and service capabilities
• The provision of similar products and services at lower fees are now more
common
• Pressure from users for lower fees
• Too many handshakes and collaborations taking place for transactions
• Accounting for revenue recognition is not less complex
• Increased audit challenges
• Increased tax complexity
• Ultimately, will cost really decrease or only shift from capital to operating?
• Accounting, tax, and laws and regulations have not yet caught up
20. What May be Expected
• Cloud computing is here to stay
• Continued growth and increased enterprise adoption of cloud computing, and
major shifts in the IT industry, disrupting suppliers, and reshaping vendor
roles
• Pressure to reduce fees and costs also affect revenue and margins requiring
new product and service offerings
• Increased competition in product and service offerings may lead to business
failures
• New laws and regulations on privacy, infringement, taxes, data security, data
transfer, and others
• Tighter International e-commerce regulations
• Potential new accounting rules
• Can company with existing, higher cost technology and offering traditional
products and services evolve fast enough to keep up with competition of
newer, lower cost technology?