Share

Accounting Update & Risk Considerations for Cloud Computing Arrangements

Background

In August 2018, the Financial Accounting Standards Board (FASB) issued ASU 2018-15 Intangibles-Goodwill and Other-Internal-Use Software (Subtopic 350-40) that clarified the accounting for the implementation, set-up and other upfront costs incurred by customers in a cloud computing arrangement (CCA) that is hosted by a vendor and determined to be a service contract.

ASU 2015-05 Intangibles-Goodwill and Other-Internal-Use Software (Subtopic 350-40) issued in April 2015 clarified when hosted arrangements would be either viewed as internal-use software or a service contract.

Companies are turning to cloud computing at an increasing rate to achieve cost savings, flexibility, scalability, and business continuity advantages. It is important to consider the guidelines in ASU 2018-15 to ensure appropriate accounting, but it is also important to consider the accompanying risk that comes with all the benefits of cloud solutions.

Whether a company is adopting cloud technology for the first time or integrating it into a new business process, organizations must be aware of the associated risks, internal controls, and financial reporting considerations. Identifying and evaluating the risks with moving to cloud and having mitigation plans to address these risks will allow companies to make a well-informed decision to ensure business objectives can be met successfully.

Implementing a Cloud Computing Arrangement (CCA)

ASU 2018-15 Accounting Clarification

With ASU 2018-15, the FASB clarified that the accounting for implementation costs associated with a CCA determined to be a service contract are to be accounted using the Internal-Use Software (ASC 350-40) guidance. Under ASU 2018-15, companies will need to analyze the nature of costs incurred in a CCA to determine the correct accounting. Some CCA pricing arrangements include multiple elements such as license or hosting fees, software training, data conversion, maintenance, and rights to future software upgrades. Those costs need to be allocated based on relative standalone price of those elements.

Costs that could be capitalized in a CCA include external fees and fees paid to third parties to implement the hosted CCA, internal payroll and employee benefit costs for those directly associated with implementing the hosted CCA and activities to configure or customize the hosted CCA. Training, data conversion and maintenance costs should be expensed as incurred.

Implementation costs of a CCA that are capitalized are amortized over the term of the hosting arrangement on a straight-line basis unless another systematic amortization approach is more representative of the pattern of benefit. Amortization for CCAs with multiple components or modules should be allocated to the component or module with amortization commencing when that component or module is ready for its intended use. Amortization expense is presented in the same line as the expense for services fees incurred for the hosting arrangement.

Capitalized implementation costs are presented in the statement of financial position in the same line as prepayment of service fees for the hosting contract. Cash flows for the implementation costs should be presented in the same manner as cash flows for service fees paid for the CCA (generally operating cash flows).

ASU 2018-15 is effective for public business entities for fiscal years beginning after December 15, 2019, and interim periods within those fiscal years. The effective date for all other entities is for annual reporting periods beginning after December 15, 2020 and interim periods beginning after December 15, 2021. Early adoption is permitted. The adoption should be applied either retrospectively or prospectively to all implementation costs incurred after the date of adoption.

Risk and Internal Controls

Governance and Project Oversight

Prior to implementing a cloud computing solution, it is important to ensure that the cloud program is properly aligned with a company’s business strategy. Developing governance and oversight at the appropriate levels within the organization is necessary to properly coordinate the efforts of the cloud project team with management’s objectives. This will help facilitate communication and information-sharing of the involved parties, and will align goals, deadlines, and project timelines.

In turn, significant delays and financial overruns throughout the course of the implementation may be avoided and the cloud adoption will help the company achieve the anticipated benefits it originally sought.

Risk Identification and Internal Control Considerations

Companies hesitant to adopt cloud technology will often cite data security as a key concern and deterrent. Relying on vendors to store and manage a company’s data (particularly on a public cloud) will certainly present a new set of risks associated with storing that data.

However, much of the internal control considerations and due diligence procedures are not drastically different than those associated with hosting data internally. It is important for a company to identify its most critical and sensitive information that will be stored in the cloud and enact measures to protect this data. This may include encryption as well as working with the cloud vendor to provision and develop specific controls surrounding this data.

As with critical data, privileged user access must be controlled. Appropriate access controls should be implemented, particularly surrounding administrative accounts. This will apply not only to the company, but also to its cloud service provider. It is important to perform due diligence surrounding the cloud service provider’s various user access controls.

However, due diligence of a cloud service provider must extend beyond its access controls. An organization should understand the vendor’s IT infrastructure and thoroughly evaluate their disaster recovery plans.

As the number of cloud providers and applications in the market continues to increase, it is more important than ever to assess these critical features. A gap in a vendor’s business continuity plan or vulnerability in its infrastructure could lead to business interruption or countless other issues for a company relying on a cloud provider. Not only should an organization understand these key elements to help inform their vendor selection process, but this understanding will be critical for a business to tailor their ongoing processes and controls to align with and compensate for those of their vendor.

Legal and Compliance Considerations

Organizations must also be aware of any regulatory or compliance considerations associated with sharing their data. This may apply to sharing information across different jurisdictions, US states (e.g. California Consumer Privacy Act of 2018), or complying with the requirements of the General Data Protection Regulation (GDPR) for companies doing business in Europe or storing data related to European residents.

Even as key processes and data storage are outsourced, companies still bear the full responsibility to comply with applicable laws and regulations including protecting their customer’s sensitive data.

Although project governance, access controls, and vendor management are important for a company to understand when considering a move to the cloud, these basic risk management concepts are far from an exhaustive and complete list of controls to be relied upon.

However, understanding and implementing these most foundational elements is essential to managing the risks, and ultimately realizing the benefits associated with cloud technology.