Moving to the Cloud – Risk, Control, and Accounting Considerations


Published on

Proformative presents Moving to the Cloud – Risk, Control, and Accounting Considerations. Special thanks to Jane Lin, Deloitte & Touche LLP.

To download full presentation, visit

Published in: Business, Technology

Moving to the Cloud – Risk, Control, and Accounting Considerations

  1. 1. THE RESOURCE FOR CORPORATE FINANCE, ACCOUNTING & TREASURY PROFESSIONALS Moving to the Cloud – Risk and Control Considerations Jane Lin Deloitte & Touche LLP
  2. 2. This presentation contains general information only and is based on the experiences and research of Deloitte practitioners. Deloitte is not, by means of this presentation, rendering business, financial, investment, accounting, tax, or other professional advice or services. This presentation is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte, its affiliates, and related entities shall not be responsible for any loss sustained by any person who relies on this presentation. About Deloitte Deloitte refers to one or more of Deloitte Touche Tohmatsu, a Swiss Verein, and its network of member firms, each of which is a legally separate and independent entity. Please see for a detailed description of the legal structure of Deloitte Touche Tohmatsu and its member firms. Please see for a detailed description of the legal structure of Deloitte LLP and its subsidiaries.
  3. 3. Cloud Computing • Is the cloud the new software? • Will the evolution of the cloud and industry competition lead to accounting complexity similar to software in the late 1980’s? • Will there be wider tax implications? • Will there be added regulatory scrutiny?
  4. 4. Key Drivers for Cloud Computing • Key cloud computing drivers include lower cost of ownership, speed of delivery, flexibility, and scalability • Pay for what you use • Computing delivered as a • Repair and maintenance savings borderless utility • Software and license purchase • Applications live in a variety of savings locations and data flows across geographic boundaries • Physical space savings • Less in-house IT staff required • Accessibility from anywhere via Internet • Highly automated, easy/fast to deploy • Collaborating/sharing made easier between disparate offices, remote workers, and suppliers • 24X7 availability to applications and services • Ability to combine and create customized services instantly • Scalable services and applications
  5. 5. What Did the Cloud Bring? • New business models • New service offerings • New capabilities • Innovation • Outsourcing • Relinquishing operational control • Relinquishing ownership of IT resources • Effect on companies • Increased flexibility • Broader reach • Faster response time and results • Reduced time to market
  6. 6. Benefits and Advantages • On demand service accessed through Internet or internal network • Scalability and elastic capacity • Resource pooling • Minimize capital and other upfront costs • Increase IT agility and flexibility; improved IT service capabilities; faster innovation cycle with less business interruption • Reduced overall spending on IT as a result of lower project costs and fewer IT resources to support new business initiatives. Shifting of costs to vendor who spread cost across user base • Reduced IT overcapacity through the use of a “pay-as-you-go” model requiring fewer data center resources (hardware, space, power) and reduced maintenance costs and improve cyclical operations • Enable new business model to take competitive advantage • Leverage new IT architectures to enable policy-based management of business and IT
  7. 7. Benefits and Advantages • Accelerate time-to-benefit with reduced time to start up, implement, and complete projects • Optimize resources through the reallocation of staff to focus on “core” vs. “non-core” activities • Indirectly reduce other costs such as electricity, rent, salaries, and other overhead • Easier to maintain and upgrade
  8. 8. Challenges • Unintended effect on ‒ Business models ‒ Accounting and audit ‒ Taxes ‒ Internal controls ‒ Policies and procedures ‒ Corporate governance ‒ Laws and regulations • Exaggerated claims regarding current and future deliverables • Data security and privacy • Data center management • Regulatory and compliance • Fast paced, constant changes may lead to quicker obsolescence • Effective metering of customer usage • Integration costs and duration • Integrating SaaS and traditional applications • Managing and monitoring integration interfaces
  9. 9. Accounting and Audit • Revenue recognition • Cost deferral ‒ Software vs. non-software • Capitalization ‒ Billing model alone, whether utility or • Business combination subscription basis, does not ‒ On-going performance obligations necessarily determine revenue ‒ Deferred revenue recognition ‒ Multiple element arrangements • Adequacy of accounting and audit trail ‒ Hosting arrangements • US GAAP vs. IFRS ‒ Service arrangements ‒ Contract accounting ‒ Milestones ‒ Concessions ‒ Activation fees ‒ Usage-based fees ‒ Discounts ‒ Use it or lose it clauses
  10. 10. ASU 2009-13 (Issue 08-1) ASC 605-25 (Issue 00-21) ASU 2009-13 (Issue 08-1) Criteria for Separation Criteria for Separation Delivered element(s) have standalone value Delivered element(s) have standalone value Undelivered element(s) have objective and reliable evidence of fair value If a general right of return exists for delivered If a general right of return exists for delivered element, performance of the undelivered element, performance of the undelivered element is probable and in vendor’s control element is probable and in vendor’s control Allocation Methods Allocation Method Relative fair value Relative selling price Residual
  11. 11. Selling Price Hierarchy Must establish the selling price at inception of an arrangement for ALL deliverables in an arrangement whether delivered or undelivered Must use if it exists and if it is obtainable without undue cost and effort VSOE Vendor-Specific Objective Evidence If VSOE does not exist, use TPE if it exists and if it is Third-Party obtainable without undue TPE Evidence cost and effort Can use only if VSOE and TPE do not exist – new Estimated Selling concept under ASU 2009- ESP Price 13 (Issue 08-1)
  12. 12. Implementation Issues – Standalone Value • A deliverable has standalone value to the customer if − Sold separately by any vendor − Customer could resell item on a standalone basis (the existence of an observable market is not required) • Previously less of a focus in multiple-element arrangements because fair value threshold was a more common barrier to separation • Not an assessment under software guidance
  13. 13. Implementation Issues – Deliverables • Identification of deliverables in an arrangement ‒ Issue 08-1 does not change requirement to identify all deliverables in an arrangement ‒ Need to know all of the deliverables in order to accurately allocate selling price • Definition of a deliverable ‒ Not defined ‒ Consider the following: • Distinct action required • Exclusion or inclusion would cause arrangement fee to vary significantly • Failure to deliver results in a refund or penalty • Each performance obligation, including those ancillary to the primary product and those with no explicit monetary value • Essential to functionality of other products or services • Inconsequential or perfunctory ‒ Not a concept for software
  14. 14. Example – Delivery of Products and Services ASC 505-25 (Issue 00-21) ASU 2009-13 (Issue 08-1) Delivered Products Delivered Products VSOE exists VSOE exists Undelivered Services Undelivered Services No VSOE No VSOE No TPE No TPE Estimated selling price exists Estimated selling price exists 1 unit 2 units (Use of estimated selling price (Use of estimated selling price is not allowed; therefore, is allowed; therefore, cannot separate) separate) 1.5
  15. 15. Taxes – Classification (i.e., service, sale, rent; perhaps a bundled package) – Taxable presence – the “what, where, and how” • What activities take place in any given geography? • Where and how does contracting and delivery take place? • How are the operations structured, e.g., entities, branches? – Different rules for different types of tax (i.e., income, transaction, withholding) Domestic income tax issues Local country tax issues • Revenue recognition – Structure of business • Permanent establishment – Local country and characterization of transactions income tax, core business functions vs. • Foreign tax credits – Source of income, preparatory and auxiliary characterization, and credits • Characterization – Withholding tax or • Withholding tax services tax; treaty relief? • Nexus – Income and sales and use tax • Transactional tax – B-2-B, or B-2-C? • Apportionment – Tangible personal property Services provided in country? destination` • Transfer pricing – Also applies to U.S. and multistate income tax
  16. 16. Internal Controls • Integration of different technologies • Data security, access controls, and confidentiality • Who owns the data? How are they being used? Are controls in place? • How is security achieved? What is the level of privacy protection? • Any small incident may have exponential consequences for all provider’s customers • Are there risk management controls to applications and data? • Data availability and reliability • User control over services, resources, and information • Data centralization may simplify regulatory concerns but may lead to potential “single points of failure” • Regular location changes or data residing on multiple locations may result in increased regulatory scrutiny with data transfer across borders • Risk assessment • Policies and procedures • On-going monitoring • A need for more sophisticated corporate governance
  17. 17. Internal Controls • Sufficiency of back up, business continuity, data retention, and disaster recovery • A need to specify desired security levels in contract terms • A need for cloud providers/vendors to offer a higher degree of protection and transparency to customers • Users should request from vendors the evidence of compliance with regulations (general civil law, contract law, consumer protection law, e- commerce regulation, fair trade practice law) and generally accepted standards (PCI DSS, ISO27001). • Users may conduct audits of vendor controls, request vendor to provide service auditor (SAS 70) reports, or request vendor to hold security accreditations • Security controls users would like the vendors to adopt may be beyond the controls inherent to the cloud platform • Any new internal control requirements may increase cost
  18. 18. Regulatory Considerations • Regulatory considerations such as SOX and HIPAA • Blurred relationship between data and geographic location • Where is the actual physical location and which privacy rules apply? • Careful planning of cross-border nature of cloud computing can help minimize regulatory, tax, accounting, and audit issues • Compliance with local regulatory and legal requirements • Potential new laws and regulations
  19. 19. What We Are Seeing • Companies establish multiple business models and segments early on • Certain industries are slower to adopt (e.g., health care, insurance industries) • Multiple product and service offerings and complex organizational structure • Focus is on expanding business and service capabilities • The provision of similar products and services at lower fees are now more common • Pressure from users for lower fees • Too many handshakes and collaborations taking place for transactions • Accounting for revenue recognition is not less complex • Increased audit challenges • Increased tax complexity • Ultimately, will cost really decrease or only shift from capital to operating? • Accounting, tax, and laws and regulations have not yet caught up
  20. 20. What May be Expected • Cloud computing is here to stay • Continued growth and increased enterprise adoption of cloud computing, and major shifts in the IT industry, disrupting suppliers, and reshaping vendor roles • Pressure to reduce fees and costs also affect revenue and margins requiring new product and service offerings • Increased competition in product and service offerings may lead to business failures • New laws and regulations on privacy, infringement, taxes, data security, data transfer, and others • Tighter International e-commerce regulations • Potential new accounting rules • Can company with existing, higher cost technology and offering traditional products and services evolve fast enough to keep up with competition of newer, lower cost technology?