Financial Statement Audits for Leases: Assessing Risks and Controls

Assessing risks and controls

With the implementation of the new lease accounting standard, ASC 842, new financial statement and process risks emerge for private companies. As organizations plan for the upcoming transition, they should ensure an approach that includes documented processes and effectively designed and implemented internal controls exists to mitigate new risks appropriately. Audit teams will utilize this documentation to evaluate their level of assessed risk, which can make a material impact on the nature of eventual substantive test work. Leases themselves do not represent a new type of business transaction; thus, reviewing and updating the risks and controls in place now can also help prepare for an efficient transition and successful audit later.

Process documentation

To properly identify the existing, as well as new, financial statement risks associated with lease accounting, organizations should clearly document the lease lifecycle, which consists of initiation and execution of a lease agreement through general ledger posting and financial statement disclosure. After explicit documentation, organizations can identify areas with no or weak controls, and begin to design new controls to mitigate identified risks now, instead of waiting until the effective year of adoption. Auditors may spend time during the risk assessment phase performing a full walkthrough of this documented process, so it is important for organizations to prepare ahead of time.

Below, we’ll focus on three central risks most commonly identified in the lease lifecycle:

1. Ensuring the completeness of the lease population
2. Ensuring the accumulation of the necessary and appropriate data to apply lease guidance
3. Ensuring changes to leases (which can include amendments/modifications, terminations, and executed renewals) are communicated timely to the accounting department for posting

Completeness of lease population

Due to legacy ASC 840 guidance requiring lessees to recognize only the income statement impact for operating leases, many organizations previously shifted focus elsewhere in regards to ensuring the correct identification of individual contracts or assets as leases. Under ASC 840, regardless of whether an asset qualified as a lease or not, the decision would not impact the balance sheet. Auditors will consider the risk that management’s current control environment does not consider lease identification as a material process. As a reminder, the FASB released a package of practical expedients to ease the burden of lease implementation. However, an organization must meet certain qualifications to elect the package. One of those requirements is identifying a complete and accurate population of leases under ASC 840, even prior to the adoption of ASC 842. An organization cannot grandfather prior errors when electing the practical expedient; thus, it is imperative to mitigate the completeness risk well in advance of the transition.

Decentralized organizations face a more extensive challenge, as leases may only be known to one department or region within the organization. A quality process narrative will help identify which individuals have the authority to execute lease (and service) contracts that may be in-scope under ASC 842. Once an organization identifies those individuals, management can develop controls and processes to ensure each executed contract undergoes a documented lease evaluation.

Necessary and appropriate data abstraction

The most significant changes under the new standard relate to operating leases. Therefore, organizations should focus on identifying key operating lease data points and establishing processes to ensure appropriate documentation. As accounting for capital leases currently depends on data points similar to those that the new standard will require for operating leases, reviewing and updating the existing capital lease process serves as a good starting point.

Under ASC 842, organizations will need to calculate the present value of future lease payments; thus, the implicit rate (or incremental borrowing rate) must now be identified. Some additional key inputs for operating leases include:

• Remaining lease term, including reassessment if electing the hindsight practical expedient
• Existing deferred or prepaid rent
• Lease incentives, including the timing of incentive execution/payment
• Initial direct costs (assessment of initial direct cost is different under 842)
• Remaining rent payments
• Lease components, nonlease components, and non-contract components

Timely communication and recognition of lease changes

Often in decentralized organizations, contract changes may not get communicated to the accounting department in a timely manner. With “as-of” lease obligation values now on the balance sheet under ASC 842, changes to an individual lease agreement need to be captured at the effective date on which the changes occur to produce accurate balance sheet obligation values. This is true under current lease accounting and will be true when the accounting treatment changes. Management should identify which departments and individuals have the authority to execute lease changes to ensure processes and controls exist to alert the accounting department of respective changes and necessary details. Where gaps in these controls occur, management can take the time now to develop and improve processes.

The risks from miscommunication are further amplified at financial close dates, including month-end, quarter-end, and fiscal year-end close. Auditors tend to focus on the cut-off risk due to the fact that a small delay in the recognition of a lease obligation, can lead to a material misstatement. This is especially true if the delay results in the recognition of the lease results in crossing over a fiscal period. Now is the time to have your auditors review these updated and enhanced process narratives and identify any significant gaps – avoiding any last-minute issues.

Internal control design for ASC 842

Once companies identify the new potential financial risks associated with the transition to ASC 842, they should begin designing preventive and detective internal controls to mitigate these risks. Auditors often test to ensure controls are designed to mitigate risk appropriately and, depending on the potential materiality of the new accounts, the auditor may sample instances of the control to test for operating effectiveness. Even if the auditor chooses to forgo testing controls, it is still imperative for organizations to have a strong control environment in place to reduce the risk of potential material misstatements within the financials.

This next section examines actual controls that companies can implement to address the three main risks identified earlier: completeness of the lease portfolio, appropriate recognition of key lease inputs, and timely recognition of new and modified leases.

Completeness of lease population

To address the risk of an incomplete population of leases, entities should start with a master lease schedule. Once this list is compiled, reconcile the list to the prior years’ lease commitment disclosures, required under ASC 840. This step alone will likely not sufficiently address the risk, especially if controls did not exist previously to ensure a complete lease population. Additional controls to consider to help ensure a complete listing of all leases are listed below:

• At the end of every month, each department head reviews all contracts executed to gather a list of potential leases and sends the list to accounting. The accounting department can determine whether the contract or asset qualifies as a lease based on the noted definition with ASC 842. It’s imperative to have an individual with technical knowledge documenting the evaluation as to whether a contract or asset qualifies as a lease. This control qualifies as preventive.
• Quarterly, the accounting department compares a list of recurring vendor payments with the master lease schedule, determining if any payments relate to leases that are incorrectly excluded from the master lease schedule.

By no means does this serve as an exhaustive list of potential controls. However, this list represents the more common and effective controls companies can utilize to address the risk of completeness.

Necessary and appropriate data abstraction

Companies should first familiarize themselves with how lease data is gathered – whether a manual abstraction takes place or an IT system exports key data. The method by which data is gathered suggests certain types of controls as more effective for mitigating risk. Below are examples of controls for all types of data gathering that facilitate compiling accurate lease data and calculating necessary adjustments for both:

• All records within the master lease schedule have a documented spreadsheet of all data points required for compliance. This spreadsheet should be approved by a member of the accounting management team.
• All discount rates used to calculate present values should have an approved rationale behind the basis of the particular rate.
• Note – accountants can mirror this type of control as it relates to determining the certainty of exercising future renewal options, which can affect the initial lease term

Many appropriate controls qualify as management review controls. However, it’s imperative for organizations to ensure the reviewer has the relative expertise to ensure the data matches the requirements.

Timely communication and recognition of lease changes

As noted previously, this risk has the potential to become material considering the balance sheet values now presented under the new standard. Below are sample controls to address this risk:

• The accounting team schedules a monthly or quarterly meeting with all departments that execute new lease contracts or exercise renewal options within existing lease contracts. The results of this meeting are documented and approved by a manager-level member of the accounting team. This meeting details all executed lease changes.
• Perform monthly reconciliations of lease payments to the lease payment schedules and investigate any variances, as these variances might indicate new or modified lease contracts that were only communicated to the payables team.

Proper design and implementation of internal controls can mitigate not only financial reporting risk within an organization now, but also lower the auditor’s assessed risk of the trial balance accounts and processes upon transitioning to ASC 842. The lower the auditor’s assessed risk, the smoother the substantive testing portion of the audit will be. While it may feel like there is an abundance of time remaining until the ASC 842 transition deadline, taking steps now to understand the risks associated with lease accounting and identifying and establishing controls to mitigate those risks will promote a smooth transition.

The next release in this series will cover the expected efforts regarding substantive testing, including the importance of accurate calculations and presentation within the financial statements.

Check out our Post-Transition Lease Audit Playbook.