1. 57
O c t o b e r 2 0 1 0 I n t e r n a l A u d i t o r
A
s organizations seek new ways to rein in
costs in the current economic environment, one of
the options under consideration may be to increase
internal software development efforts rather than to buy soft-
ware off the shelf or outsource software development to a third
party. Although this can save money, it requires organizations
to perform a capitalization of labor audit (CLA) to test compli-
ance with the mandates of the Financial Accounting Standards
Board’s (FASB’s) Accounting Standards Codification (ASC) 350-40
Capitalization
of Labor Audits
Reviewing whether internal software
development projects comply with the
FASB’s ASC 350-40 can give auditors
a clear picture of the value IT projects
deliver to the organization.
By liji thomas, cia
senior auditor
southwest airlines
2. 58
I n t e r n a l A u d i t o r O c t o b e r 2 0 1 0
accounting and technology functions and challenge auditors
to explore the interplay of these activities in more depth than
a CLA. Nevertheless, if approached with an inquisitive mind,
this type of audit can lend great insight into an organization’s
software development life cycle (SDLC) methodology as well as
lead an enterprise to clarify the value added by IT investments.
How does an internal audit department go about testing com-
pliance with this pronouncement? The answer lies in knowing
the organization’s IT process and SDLC methodology.
IMPLICATIONS FOR DEVELOPMENT
Most organizations that create software follow a specific SDLC
methodology. The typical SDLC model includes planning,
design, implementation, and testing phases. To comply with
ASC 350-40, some organizations map certain tasks to each of
these phases. It is the project manager’s responsibility to ensure
that time is charged to the correct phase. Some IT organizations
are moving toward agile development methodologies, where
they construct an application iteratively and incrementally.
Agile methodologies do not follow a linear approach to soft-
ware development; instead, they promote development, col-
laboration, adaptability, and teamwork throughout the project’s
life cycle, which complicates the task of recording time to the
correct phases. Another approach is to expense all time spent on
software development initially and then go back and reclassify
software development expenses as capital costs depending on
the type of work that was performed.
Regardless of the method used, auditors who embark on a
CLA have a significant undertaking. They must first under-
stand the accounting pronouncement and its implication for
internal software development. Then, they must understand
the way the SDLC or agile development methodology has been
designed at the organization and the technology team’s pro-
cess for capturing and categorizing software development costs.
This undertaking will require auditors to roll up their sleeves
and dig into the details of the IT process, the methodology, and
the accounting pronouncement.
AUDIT PLANNING CONSIDERATIONS
Given this basic understanding of what a CLA entails, auditors
should consider several factors in planning such an audit. They
can identify risk and related controls to be tested in a CLA by
asking questions such as:
n How is the organization’s SDLC methodology defined? If
specific tasks are mapped to the methodology, are they
mapped to phases in compliance with ASC 350-40?
n What controls are in place to ensure that software devel-
opment time is captured and recorded appropriately? If
project managers serve as the primary controls, have they
been trained on the importance of capturing and recording
software development time accurately?
n Are there clearly defined start and stop dates for the phases
of a technology project? If the phases have been extended
or revised — as they often will be — have corresponding
changes been made to ensure that time is captured and
recorded accurately?
n Does the organization use contractors in software devel-
opment? If so, how is the contractors’ time captured and
recorded? If the accounts payable department is involved
with the receipt and coding of contractor invoices, is this
process robust enough to ensure full and consistent com-
pliance with ASC 350-40?
The answers to these questions will help ensure that auditors
have considered several angles of a CLA that often go unex-
plored or do not receive full consideration until the audit is
well underway. Understanding these nuances early on can help
ensure adequate staffing and resources for the audit as well as
Capitalization of labor audits (CLAs) can be an excellent
training ground for internal auditors. In analyzing costs
involved in developing internal software, the auditors
assigned to the audit team are challenged to think out-
side the accounting and technology silos that often exist
in an organization and to think critically about interplays
between those two areas. Moreover, during a CLA auditors
learn to dissect the complex processes that may exist to
capture time and that ultimately determine how software
expenses are treated and recorded in the company’s gen-
eral ledger. This experience can teach auditors to grasp
new concepts quickly, identify key risks at the interface of
processes, communicate effectively with all levels of man-
agement as well as their audit team, and link accounting
and technology with value creation.
Learning From CLAs
(formerly Statement of Position No. 98-1, Accounting for Costs of Computer Software Developed
or Obtained for Internal Use).
ASC 350-40 provides guidance to ensure that organizations appropriately expense or capitalize
the costs associated with creating internal use software. It dictates that only costs incurred during
the application development stage can be capitalized. Costs incurred during the preliminary proj-
ect and post-implementation stages, and any training costs, must be expensed as incurred.
Although adoption of ASC 350-40 has been mandatory since 1998, a CLA remains an
intimidating topic for most audit departments. Few audits span the expanse of an organization’s
3. 59
O c t o b e r 2 0 1 0 I n t e r n a l A u d i t o r
ca p itali z ati o n o f la b o r a u d it s
the timekeeping system and an organization’s ERP system may
either be an error on the technology side (with the system feed)
or an error on the accounting end (with how the feed is being
interpreted by the ERP system). If the CLA team does not fully
understand the root cause of the issue and stakeholders from
both technology and accounting are not aware of the issue, the
audit team’s recommendations may miss the mark, and it may
be difficult to receive buy-in from those two departments to
remedy the issue adequately.
Invoke Privilege If it appears at the outset or during the course
of the CLA that the subject of the audit may have legal rami-
fications for the organization, the audit team may want to
inquire whether the legal department would like to have the
audit performed under attorney-client privilege. This may be
necessary if auditors determine that the organization has been
treating expenses inappropriately, or it becomes necessary to
solicit details about the process for the legal department to
issue an opinion. Attorney-client privilege is a narrow but
important protection that ensures that the audit team can
do its work in the confidence that the end result will be used
to benefit the organization. Privilege can only be invoked if
the CLA is carried out under the direction of an attorney and
for the purpose of rendering legal advice to the organiza-
tion. Usually, the attorney will provide a memo explaining the
information that he or she needs from the CLA, the involve-
ment of the legal team, and direction that all materials must
be kept confidential. Only documents and communications
that are produced and take place after attorney-client privilege
is implemented will be protected.
THE VALUE OF IT PROJECTS
Auditors miss the point if they pursue a CLA simply as a com-
pliance endeavor. By critically examining the dynamic interface
between business and technology, a CLA provides tremendous
insight into the value IT projects provide to the organization.
An analysis of the criteria that an organization uses to deter-
mine the capitalization and expense of software development
projects can reveal whether the organization perceives long-
term value from those projects. Such insight can give auditors
a clearer picture of the organization’s compliance efforts, its
long-term strategic focus, and the interplay of its accounting
and technology functions.
To comment on this article, e-mail the author at liji.thomas@
theiia.org.
give the audit team a clearer picture of how best to tackle both
the accounting and technology aspects relevant to the audit.
CONDUCTING THE AUDIT
A CLA will challenge the audit team to understand how
ASC 350-40 links to technology, how the accounting function
allocates development costs, and how the organization deter-
mines where value is created by IT projects. Given such a bold
undertaking, there are a few best practices that auditors should
follow in conducting the audit to avoid potential pitfalls.
Use an Integrated Audit Team An integrated audit team that
includes IT audit specialists can ensure that a CLA tests key
risk areas adequately. For example, organizations often use
timekeeping systems to track developers’ time spent to cre-
ate internal-use software. Audit teams should consider any
risks and controls in how these automated systems capture
and report time during the development process. The accuracy
of the time tracking can mean the difference between being
compliant or noncompliant with ASC 350-40. Moreover, if the
organization feeds timekeeping data into an enterprise resource
planning (ERP) system, adequately analyzing the intersection
of these systems may require more than a basic knowledge of
technology to determine the root cause of any transmission
errors. In such situations, having an IT auditor on the CLA
team can be worthwhile.
Understand the Audit Objective Auditors should ensure that
there is a clear and consistent understanding of the audit objec-
tive across the board, from the audit team through the audit
client and to all the various stakeholders. The objective is not
to deal with expenses and capital items in a way that ensures
the best bottom line; rather, the objective is to ensure that
software development expenses are appropriately captured and
categorized in accordance with ASC 350-40. Put simply, the
audit should look at the process as opposed to the profits. For
example, capitalizing software development costs as opposed to
expensing them may be in the best interest of a company that
seeks to boost its net income. But the focus of the audit should
not be about boosting the company’s bottom line. Instead, the
audit should focus on the process used to determine whether
to capitalize or expense development costs and the procedures
pursued to ensure costs are recorded in line with the mandates
of ASC 350-40.
Engage and Communicate With Stakeholders Part of what makes
a CLA so engaging is the various departments that are involved.
Strict compliance with ASC 350-40 demands involvement and
knowledge of both accounting (i.e., the pronouncement and
what it means to capitalize costs versus expense) as well as
technology (i.e., the SDLC methodology that is used by the
particular enterprise and how the phases of software devel-
opment comply with the pronouncement). A successful CLA
demands a careful look at all the stakeholders who are involved
in the decision to capitalize or expense technology costs, from
accounting personnel to project managers. Failure to identify
and communicate with relevant stakeholders may result in
short-sighted audit recommendations or a rejection of the audit
recommendations. For example, a transmission error between
By critically examining the dynamic
interface between business and
technology, a CLA provides tremendous
insight into the value IT projects yield.