SlideShare a Scribd company logo

Cap_Labor_Publication

L
lijithomasswa
1 of 3
Download to read offline
57 O c t o b e r 2 0 1 0 I n t e r n a l A u d i t o r A s organizations seek new ways to rein in costs in the current economic environment, one of the options under consideration may be to increase internal software development efforts rather than to buy soft- ware off the shelf or outsource software development to a third party. Although this can save money, it requires organizations to perform a capitalization of labor audit (CLA) to test compli- ance with the mandates of the Financial Accounting Standards Board’s (FASB’s) Accounting Standards Codification (ASC) 350-40 Capitalization of Labor Audits Reviewing whether internal software development projects comply with the FASB’s ASC 350-40 can give auditors a clear picture of the value IT projects deliver to the organization. By liji thomas, cia senior auditor southwest airlines
58 I n t e r n a l A u d i t o r O c t o b e r 2 0 1 0 accounting and technology functions and challenge auditors to explore the interplay of these activities in more depth than a CLA. Nevertheless, if approached with an inquisitive mind, this type of audit can lend great insight into an organization’s software development life cycle (SDLC) methodology as well as lead an enterprise to clarify the value added by IT investments. How does an internal audit department go about testing com- pliance with this pronouncement? The answer lies in knowing the organization’s IT process and SDLC methodology. IMPLICATIONS FOR DEVELOPMENT Most organizations that create software follow a specific SDLC methodology. The typical SDLC model includes planning, design, implementation, and testing phases. To comply with ASC 350-40, some organizations map certain tasks to each of these phases. It is the project manager’s responsibility to ensure that time is charged to the correct phase. Some IT organizations are moving toward agile development methodologies, where they construct an application iteratively and incrementally. Agile methodologies do not follow a linear approach to soft- ware development; instead, they promote development, col- laboration, adaptability, and teamwork throughout the project’s life cycle, which complicates the task of recording time to the correct phases. Another approach is to expense all time spent on software development initially and then go back and reclassify software development expenses as capital costs depending on the type of work that was performed. Regardless of the method used, auditors who embark on a CLA have a significant undertaking. They must first under- stand the accounting pronouncement and its implication for internal software development. Then, they must understand the way the SDLC or agile development methodology has been designed at the organization and the technology team’s pro- cess for capturing and categorizing software development costs. This undertaking will require auditors to roll up their sleeves and dig into the details of the IT process, the methodology, and the accounting pronouncement. AUDIT PLANNING CONSIDERATIONS Given this basic understanding of what a CLA entails, auditors should consider several factors in planning such an audit. They can identify risk and related controls to be tested in a CLA by asking questions such as: n How is the organization’s SDLC methodology defined? If specific tasks are mapped to the methodology, are they mapped to phases in compliance with ASC 350-40? n What controls are in place to ensure that software devel- opment time is captured and recorded appropriately? If project managers serve as the primary controls, have they been trained on the importance of capturing and recording software development time accurately? n Are there clearly defined start and stop dates for the phases of a technology project? If the phases have been extended or revised — as they often will be — have corresponding changes been made to ensure that time is captured and recorded accurately? n Does the organization use contractors in software devel- opment? If so, how is the contractors’ time captured and recorded? If the accounts payable department is involved with the receipt and coding of contractor invoices, is this process robust enough to ensure full and consistent com- pliance with ASC 350-40? The answers to these questions will help ensure that auditors have considered several angles of a CLA that often go unex- plored or do not receive full consideration until the audit is well underway. Understanding these nuances early on can help ensure adequate staffing and resources for the audit as well as Capitalization of labor audits (CLAs) can be an excellent training ground for internal auditors. In analyzing costs involved in developing internal software, the auditors assigned to the audit team are challenged to think out- side the accounting and technology silos that often exist in an organization and to think critically about interplays between those two areas. Moreover, during a CLA auditors learn to dissect the complex processes that may exist to capture time and that ultimately determine how software expenses are treated and recorded in the company’s gen- eral ledger. This experience can teach auditors to grasp new concepts quickly, identify key risks at the interface of processes, communicate effectively with all levels of man- agement as well as their audit team, and link accounting and technology with value creation. Learning From CLAs (formerly Statement of Position No. 98-1, Accounting for Costs of Computer Software Developed or Obtained for Internal Use). ASC 350-40 provides guidance to ensure that organizations appropriately expense or capitalize the costs associated with creating internal use software. It dictates that only costs incurred during the application development stage can be capitalized. Costs incurred during the preliminary proj- ect and post-implementation stages, and any training costs, must be expensed as incurred. Although adoption of ASC 350-40 has been mandatory since 1998, a CLA remains an intimidating topic for most audit departments. Few audits span the expanse of an organization’s
59 O c t o b e r 2 0 1 0 I n t e r n a l A u d i t o r ca p itali z ati o n o f la b o r a u d it s the timekeeping system and an organization’s ERP system may either be an error on the technology side (with the system feed) or an error on the accounting end (with how the feed is being interpreted by the ERP system). If the CLA team does not fully understand the root cause of the issue and stakeholders from both technology and accounting are not aware of the issue, the audit team’s recommendations may miss the mark, and it may be difficult to receive buy-in from those two departments to remedy the issue adequately. Invoke Privilege If it appears at the outset or during the course of the CLA that the subject of the audit may have legal rami- fications for the organization, the audit team may want to inquire whether the legal department would like to have the audit performed under attorney-client privilege. This may be necessary if auditors determine that the organization has been treating expenses inappropriately, or it becomes necessary to solicit details about the process for the legal department to issue an opinion. Attorney-client privilege is a narrow but important protection that ensures that the audit team can do its work in the confidence that the end result will be used to benefit the organization. Privilege can only be invoked if the CLA is carried out under the direction of an attorney and for the purpose of rendering legal advice to the organiza- tion. Usually, the attorney will provide a memo explaining the information that he or she needs from the CLA, the involve- ment of the legal team, and direction that all materials must be kept confidential. Only documents and communications that are produced and take place after attorney-client privilege is implemented will be protected. THE VALUE OF IT PROJECTS Auditors miss the point if they pursue a CLA simply as a com- pliance endeavor. By critically examining the dynamic interface between business and technology, a CLA provides tremendous insight into the value IT projects provide to the organization. An analysis of the criteria that an organization uses to deter- mine the capitalization and expense of software development projects can reveal whether the organization perceives long- term value from those projects. Such insight can give auditors a clearer picture of the organization’s compliance efforts, its long-term strategic focus, and the interplay of its accounting and technology functions. To comment on this article, e-mail the author at liji.thomas@ theiia.org. give the audit team a clearer picture of how best to tackle both the accounting and technology aspects relevant to the audit. CONDUCTING THE AUDIT A CLA will challenge the audit team to understand how ASC 350-40 links to technology, how the accounting function allocates development costs, and how the organization deter- mines where value is created by IT projects. Given such a bold undertaking, there are a few best practices that auditors should follow in conducting the audit to avoid potential pitfalls. Use an Integrated Audit Team An integrated audit team that includes IT audit specialists can ensure that a CLA tests key risk areas adequately. For example, organizations often use timekeeping systems to track developers’ time spent to cre- ate internal-use software. Audit teams should consider any risks and controls in how these automated systems capture and report time during the development process. The accuracy of the time tracking can mean the difference between being compliant or noncompliant with ASC 350-40. Moreover, if the organization feeds timekeeping data into an enterprise resource planning (ERP) system, adequately analyzing the intersection of these systems may require more than a basic knowledge of technology to determine the root cause of any transmission errors. In such situations, having an IT auditor on the CLA team can be worthwhile. Understand the Audit Objective Auditors should ensure that there is a clear and consistent understanding of the audit objec- tive across the board, from the audit team through the audit client and to all the various stakeholders. The objective is not to deal with expenses and capital items in a way that ensures the best bottom line; rather, the objective is to ensure that software development expenses are appropriately captured and categorized in accordance with ASC 350-40. Put simply, the audit should look at the process as opposed to the profits. For example, capitalizing software development costs as opposed to expensing them may be in the best interest of a company that seeks to boost its net income. But the focus of the audit should not be about boosting the company’s bottom line. Instead, the audit should focus on the process used to determine whether to capitalize or expense development costs and the procedures pursued to ensure costs are recorded in line with the mandates of ASC 350-40. Engage and Communicate With Stakeholders Part of what makes a CLA so engaging is the various departments that are involved. Strict compliance with ASC 350-40 demands involvement and knowledge of both accounting (i.e., the pronouncement and what it means to capitalize costs versus expense) as well as technology (i.e., the SDLC methodology that is used by the particular enterprise and how the phases of software devel- opment comply with the pronouncement). A successful CLA demands a careful look at all the stakeholders who are involved in the decision to capitalize or expense technology costs, from accounting personnel to project managers. Failure to identify and communicate with relevant stakeholders may result in short-sighted audit recommendations or a rejection of the audit recommendations. For example, a transmission error between By critically examining the dynamic interface between business and technology, a CLA provides tremendous insight into the value IT projects yield.

Recommended

policyIQ for COSO 2013 Internal Control - Integrated Framework
policyIQ for COSO 2013 Internal Control - Integrated FrameworkpolicyIQ for COSO 2013 Internal Control - Integrated Framework
policyIQ for COSO 2013 Internal Control - Integrated Frameworksbyearly
 
When People Fall From Grace: Reconsidering the Role of Envy in Schadenfreude
When People Fall From Grace: Reconsidering the Role of Envy in SchadenfreudeWhen People Fall From Grace: Reconsidering the Role of Envy in Schadenfreude
When People Fall From Grace: Reconsidering the Role of Envy in SchadenfreudeIsal Kadal
 
Peraturan Menteri Keuangan Nomor 144 tahun 2014.
Peraturan Menteri Keuangan Nomor 144 tahun 2014.Peraturan Menteri Keuangan Nomor 144 tahun 2014.
Peraturan Menteri Keuangan Nomor 144 tahun 2014.Isal Kadal
 
UU Nomor 11 Tahun 2014
UU Nomor 11 Tahun 2014UU Nomor 11 Tahun 2014
UU Nomor 11 Tahun 2014Isal Kadal
 
Фэшн Блог. Оборина Екатерина
Фэшн Блог. Оборина ЕкатеринаФэшн Блог. Оборина Екатерина
Фэшн Блог. Оборина ЕкатеринаFirmennyjj_Stil
 
Undang-undang RI nomor 10 tahun 1998 tentang perbankan
Undang-undang RI nomor 10 tahun 1998 tentang perbankanUndang-undang RI nomor 10 tahun 1998 tentang perbankan
Undang-undang RI nomor 10 tahun 1998 tentang perbankanIsal Kadal
 
Bai nien luan
Bai nien luanBai nien luan
Bai nien luanvuthoa_222
 
前列腺知识和保健
前列腺知识和保健前列腺知识和保健
前列腺知识和保健Jacksonlpl
 

Recommended

policyIQ for COSO 2013 Internal Control - Integrated Framework
policyIQ for COSO 2013 Internal Control - Integrated FrameworkpolicyIQ for COSO 2013 Internal Control - Integrated Framework
policyIQ for COSO 2013 Internal Control - Integrated Frameworksbyearly
 
When People Fall From Grace: Reconsidering the Role of Envy in Schadenfreude
When People Fall From Grace: Reconsidering the Role of Envy in SchadenfreudeWhen People Fall From Grace: Reconsidering the Role of Envy in Schadenfreude
When People Fall From Grace: Reconsidering the Role of Envy in SchadenfreudeIsal Kadal
 
Peraturan Menteri Keuangan Nomor 144 tahun 2014.
Peraturan Menteri Keuangan Nomor 144 tahun 2014.Peraturan Menteri Keuangan Nomor 144 tahun 2014.
Peraturan Menteri Keuangan Nomor 144 tahun 2014.Isal Kadal
 
UU Nomor 11 Tahun 2014
UU Nomor 11 Tahun 2014UU Nomor 11 Tahun 2014
UU Nomor 11 Tahun 2014Isal Kadal
 
Фэшн Блог. Оборина Екатерина
Фэшн Блог. Оборина ЕкатеринаФэшн Блог. Оборина Екатерина
Фэшн Блог. Оборина ЕкатеринаFirmennyjj_Stil
 
Undang-undang RI nomor 10 tahun 1998 tentang perbankan
Undang-undang RI nomor 10 tahun 1998 tentang perbankanUndang-undang RI nomor 10 tahun 1998 tentang perbankan
Undang-undang RI nomor 10 tahun 1998 tentang perbankanIsal Kadal
 
Bai nien luan
Bai nien luanBai nien luan
Bai nien luanvuthoa_222
 
前列腺知识和保健
前列腺知识和保健前列腺知识和保健
前列腺知识和保健Jacksonlpl
 
Auditing Systems Development
Auditing Systems DevelopmentAuditing Systems Development
Auditing Systems Developmentessbaih
 
Mortgage LOS Implementation: A Roadmap for Sustainability
Mortgage LOS Implementation: A Roadmap for SustainabilityMortgage LOS Implementation: A Roadmap for Sustainability
Mortgage LOS Implementation: A Roadmap for SustainabilityCognizant
 
THE CIO PLAYBOOK NINE STEPS CIOS MUST TAKE FOR SUCCESSFUL DIVESTITURE
THE CIO PLAYBOOK NINE STEPS CIOS MUST TAKE FOR SUCCESSFUL DIVESTITURETHE CIO PLAYBOOK NINE STEPS CIOS MUST TAKE FOR SUCCESSFUL DIVESTITURE
THE CIO PLAYBOOK NINE STEPS CIOS MUST TAKE FOR SUCCESSFUL DIVESTITUREAbhishek Sood
 
IMSM - Road to Implementation
IMSM - Road to ImplementationIMSM - Road to Implementation
IMSM - Road to ImplementationDelrae Eden
 
Dit yvol4iss34
Dit yvol4iss34Dit yvol4iss34
Dit yvol4iss34Rick Lemieux
 
Cfo insights evaluating_it
Cfo insights evaluating_itCfo insights evaluating_it
Cfo insights evaluating_itKamalakar Yadav
 
Outsourcing Life Cycle: Assessment / Business Case
Outsourcing Life Cycle: Assessment / Business CaseOutsourcing Life Cycle: Assessment / Business Case
Outsourcing Life Cycle: Assessment / Business CaseAltoros
 
SEATA by TOMMY SEAH
SEATA by TOMMY SEAHSEATA by TOMMY SEAH
SEATA by TOMMY SEAHTommy Seah
 
auditing Fram . from the start to Reporting .pdf
auditing Fram . from the start to Reporting .pdfauditing Fram . from the start to Reporting .pdf
auditing Fram . from the start to Reporting .pdfnguyenanvuong2007
 
Moving up the Software License Optimization Maturity Curve to Drive Business ...
Moving up the Software License Optimization Maturity Curve to Drive Business ...Moving up the Software License Optimization Maturity Curve to Drive Business ...
Moving up the Software License Optimization Maturity Curve to Drive Business ...Flexera
 
Sample audit plan
Sample audit planSample audit plan
Sample audit planMaher Manan
 
6 Ways to Ensure the Success of your Next Contractor Self Assessment
6 Ways to Ensure the Success of your Next Contractor Self Assessment6 Ways to Ensure the Success of your Next Contractor Self Assessment
6 Ways to Ensure the Success of your Next Contractor Self AssessmentStacey Kramer
 
2012 04 16 Iso38500 Governance V1
2012 04 16 Iso38500 Governance V12012 04 16 Iso38500 Governance V1
2012 04 16 Iso38500 Governance V1Michael Boyle
 
QUALITY AUDIT TRACKING: THE KEY TO EFFICIENCY, EFFECTIVENESS AND VALUE
QUALITY AUDIT TRACKING: THE KEY TO EFFICIENCY, EFFECTIVENESS AND VALUEQUALITY AUDIT TRACKING: THE KEY TO EFFICIENCY, EFFECTIVENESS AND VALUE
QUALITY AUDIT TRACKING: THE KEY TO EFFICIENCY, EFFECTIVENESS AND VALUEeAuditor Audits & Inspections
 
It Governance Methodology Cox
It Governance Methodology CoxIt Governance Methodology Cox
It Governance Methodology CoxWilliam Cox MBA, QPM, CSM, PMP, CPHIMS
 
Measurement_Information Needs_paper_Crosstalk
Measurement_Information Needs_paper_CrosstalkMeasurement_Information Needs_paper_Crosstalk
Measurement_Information Needs_paper_Crosstalkpbaxter
 
SOX modernization: Optimizing compliance while extracting value
SOX modernization: Optimizing compliance while extracting valueSOX modernization: Optimizing compliance while extracting value
SOX modernization: Optimizing compliance while extracting valueDeloitte United States
 
Management model for exploratory investment in IT
Management model for exploratory investment in IT Management model for exploratory investment in IT
Management model for exploratory investment in IT WGroup
 
Business analysis
Business analysis Business analysis
Business analysis Gautam Kumar
 
Business analysis
Business analysis Business analysis
Business analysis Gautam Kumar
 

More Related Content

Similar to Cap_Labor_Publication

Auditing Systems Development
Auditing Systems DevelopmentAuditing Systems Development
Auditing Systems Developmentessbaih
 
Mortgage LOS Implementation: A Roadmap for Sustainability
Mortgage LOS Implementation: A Roadmap for SustainabilityMortgage LOS Implementation: A Roadmap for Sustainability
Mortgage LOS Implementation: A Roadmap for SustainabilityCognizant
 
THE CIO PLAYBOOK NINE STEPS CIOS MUST TAKE FOR SUCCESSFUL DIVESTITURE
THE CIO PLAYBOOK NINE STEPS CIOS MUST TAKE FOR SUCCESSFUL DIVESTITURETHE CIO PLAYBOOK NINE STEPS CIOS MUST TAKE FOR SUCCESSFUL DIVESTITURE
THE CIO PLAYBOOK NINE STEPS CIOS MUST TAKE FOR SUCCESSFUL DIVESTITUREAbhishek Sood
 
IMSM - Road to Implementation
IMSM - Road to ImplementationIMSM - Road to Implementation
IMSM - Road to ImplementationDelrae Eden
 
Cfo insights evaluating_it
Cfo insights evaluating_itCfo insights evaluating_it
Cfo insights evaluating_itKamalakar Yadav
 
Outsourcing Life Cycle: Assessment / Business Case
Outsourcing Life Cycle: Assessment / Business CaseOutsourcing Life Cycle: Assessment / Business Case
Outsourcing Life Cycle: Assessment / Business CaseAltoros
 
SEATA by TOMMY SEAH
SEATA by TOMMY SEAHSEATA by TOMMY SEAH
SEATA by TOMMY SEAHTommy Seah
 
auditing Fram . from the start to Reporting .pdf
auditing Fram . from the start to Reporting .pdfauditing Fram . from the start to Reporting .pdf
auditing Fram . from the start to Reporting .pdfnguyenanvuong2007
 
Moving up the Software License Optimization Maturity Curve to Drive Business ...
Moving up the Software License Optimization Maturity Curve to Drive Business ...Moving up the Software License Optimization Maturity Curve to Drive Business ...
Moving up the Software License Optimization Maturity Curve to Drive Business ...Flexera
 
Sample audit plan
Sample audit planSample audit plan
Sample audit planMaher Manan
 
6 Ways to Ensure the Success of your Next Contractor Self Assessment
6 Ways to Ensure the Success of your Next Contractor Self Assessment6 Ways to Ensure the Success of your Next Contractor Self Assessment
6 Ways to Ensure the Success of your Next Contractor Self AssessmentStacey Kramer
 
2012 04 16 Iso38500 Governance V1
2012 04 16 Iso38500 Governance V12012 04 16 Iso38500 Governance V1
2012 04 16 Iso38500 Governance V1Michael Boyle
 
QUALITY AUDIT TRACKING: THE KEY TO EFFICIENCY, EFFECTIVENESS AND VALUE
QUALITY AUDIT TRACKING: THE KEY TO EFFICIENCY, EFFECTIVENESS AND VALUEQUALITY AUDIT TRACKING: THE KEY TO EFFICIENCY, EFFECTIVENESS AND VALUE
QUALITY AUDIT TRACKING: THE KEY TO EFFICIENCY, EFFECTIVENESS AND VALUEeAuditor Audits & Inspections
 
Measurement_Information Needs_paper_Crosstalk
Measurement_Information Needs_paper_CrosstalkMeasurement_Information Needs_paper_Crosstalk
Measurement_Information Needs_paper_Crosstalkpbaxter
 
SOX modernization: Optimizing compliance while extracting value
SOX modernization: Optimizing compliance while extracting valueSOX modernization: Optimizing compliance while extracting value
SOX modernization: Optimizing compliance while extracting valueDeloitte United States
 
Management model for exploratory investment in IT
Management model for exploratory investment in IT Management model for exploratory investment in IT
Management model for exploratory investment in IT WGroup
 
Business analysis
Business analysis Business analysis
Business analysis Gautam Kumar
 
Business analysis
Business analysis Business analysis
Business analysis Gautam Kumar
 

Similar to Cap_Labor_Publication (20)

Auditing Systems Development
Auditing Systems DevelopmentAuditing Systems Development
Auditing Systems Development
 
Mortgage LOS Implementation: A Roadmap for Sustainability
Mortgage LOS Implementation: A Roadmap for SustainabilityMortgage LOS Implementation: A Roadmap for Sustainability
Mortgage LOS Implementation: A Roadmap for Sustainability
 
THE CIO PLAYBOOK NINE STEPS CIOS MUST TAKE FOR SUCCESSFUL DIVESTITURE
THE CIO PLAYBOOK NINE STEPS CIOS MUST TAKE FOR SUCCESSFUL DIVESTITURETHE CIO PLAYBOOK NINE STEPS CIOS MUST TAKE FOR SUCCESSFUL DIVESTITURE
THE CIO PLAYBOOK NINE STEPS CIOS MUST TAKE FOR SUCCESSFUL DIVESTITURE
 
IMSM - Road to Implementation
IMSM - Road to ImplementationIMSM - Road to Implementation
IMSM - Road to Implementation
 
Dit yvol4iss34
Dit yvol4iss34Dit yvol4iss34
Dit yvol4iss34
 
Cfo insights evaluating_it
Cfo insights evaluating_itCfo insights evaluating_it
Cfo insights evaluating_it
 
Outsourcing Life Cycle: Assessment / Business Case
Outsourcing Life Cycle: Assessment / Business CaseOutsourcing Life Cycle: Assessment / Business Case
Outsourcing Life Cycle: Assessment / Business Case
 
SEATA by TOMMY SEAH
SEATA by TOMMY SEAHSEATA by TOMMY SEAH
SEATA by TOMMY SEAH
 
auditing Fram . from the start to Reporting .pdf
auditing Fram . from the start to Reporting .pdfauditing Fram . from the start to Reporting .pdf
auditing Fram . from the start to Reporting .pdf
 
Moving up the Software License Optimization Maturity Curve to Drive Business ...
Moving up the Software License Optimization Maturity Curve to Drive Business ...Moving up the Software License Optimization Maturity Curve to Drive Business ...
Moving up the Software License Optimization Maturity Curve to Drive Business ...
 
Sample audit plan
Sample audit planSample audit plan
Sample audit plan
 
6 Ways to Ensure the Success of your Next Contractor Self Assessment
6 Ways to Ensure the Success of your Next Contractor Self Assessment6 Ways to Ensure the Success of your Next Contractor Self Assessment
6 Ways to Ensure the Success of your Next Contractor Self Assessment
 
2012 04 16 Iso38500 Governance V1
2012 04 16 Iso38500 Governance V12012 04 16 Iso38500 Governance V1
2012 04 16 Iso38500 Governance V1
 
QUALITY AUDIT TRACKING: THE KEY TO EFFICIENCY, EFFECTIVENESS AND VALUE
QUALITY AUDIT TRACKING: THE KEY TO EFFICIENCY, EFFECTIVENESS AND VALUEQUALITY AUDIT TRACKING: THE KEY TO EFFICIENCY, EFFECTIVENESS AND VALUE
QUALITY AUDIT TRACKING: THE KEY TO EFFICIENCY, EFFECTIVENESS AND VALUE
 
It Governance Methodology Cox
It Governance Methodology CoxIt Governance Methodology Cox
It Governance Methodology Cox
 
Measurement_Information Needs_paper_Crosstalk
Measurement_Information Needs_paper_CrosstalkMeasurement_Information Needs_paper_Crosstalk
Measurement_Information Needs_paper_Crosstalk
 
SOX modernization: Optimizing compliance while extracting value
SOX modernization: Optimizing compliance while extracting valueSOX modernization: Optimizing compliance while extracting value
SOX modernization: Optimizing compliance while extracting value
 
Management model for exploratory investment in IT
Management model for exploratory investment in IT Management model for exploratory investment in IT
Management model for exploratory investment in IT
 
Business analysis
Business analysis Business analysis
Business analysis
 
Business analysis
Business analysis Business analysis
Business analysis
 

Cap_Labor_Publication

  • 1. 57 O c t o b e r 2 0 1 0 I n t e r n a l A u d i t o r A s organizations seek new ways to rein in costs in the current economic environment, one of the options under consideration may be to increase internal software development efforts rather than to buy soft- ware off the shelf or outsource software development to a third party. Although this can save money, it requires organizations to perform a capitalization of labor audit (CLA) to test compli- ance with the mandates of the Financial Accounting Standards Board’s (FASB’s) Accounting Standards Codification (ASC) 350-40 Capitalization of Labor Audits Reviewing whether internal software development projects comply with the FASB’s ASC 350-40 can give auditors a clear picture of the value IT projects deliver to the organization. By liji thomas, cia senior auditor southwest airlines
  • 2. 58 I n t e r n a l A u d i t o r O c t o b e r 2 0 1 0 accounting and technology functions and challenge auditors to explore the interplay of these activities in more depth than a CLA. Nevertheless, if approached with an inquisitive mind, this type of audit can lend great insight into an organization’s software development life cycle (SDLC) methodology as well as lead an enterprise to clarify the value added by IT investments. How does an internal audit department go about testing com- pliance with this pronouncement? The answer lies in knowing the organization’s IT process and SDLC methodology. IMPLICATIONS FOR DEVELOPMENT Most organizations that create software follow a specific SDLC methodology. The typical SDLC model includes planning, design, implementation, and testing phases. To comply with ASC 350-40, some organizations map certain tasks to each of these phases. It is the project manager’s responsibility to ensure that time is charged to the correct phase. Some IT organizations are moving toward agile development methodologies, where they construct an application iteratively and incrementally. Agile methodologies do not follow a linear approach to soft- ware development; instead, they promote development, col- laboration, adaptability, and teamwork throughout the project’s life cycle, which complicates the task of recording time to the correct phases. Another approach is to expense all time spent on software development initially and then go back and reclassify software development expenses as capital costs depending on the type of work that was performed. Regardless of the method used, auditors who embark on a CLA have a significant undertaking. They must first under- stand the accounting pronouncement and its implication for internal software development. Then, they must understand the way the SDLC or agile development methodology has been designed at the organization and the technology team’s pro- cess for capturing and categorizing software development costs. This undertaking will require auditors to roll up their sleeves and dig into the details of the IT process, the methodology, and the accounting pronouncement. AUDIT PLANNING CONSIDERATIONS Given this basic understanding of what a CLA entails, auditors should consider several factors in planning such an audit. They can identify risk and related controls to be tested in a CLA by asking questions such as: n How is the organization’s SDLC methodology defined? If specific tasks are mapped to the methodology, are they mapped to phases in compliance with ASC 350-40? n What controls are in place to ensure that software devel- opment time is captured and recorded appropriately? If project managers serve as the primary controls, have they been trained on the importance of capturing and recording software development time accurately? n Are there clearly defined start and stop dates for the phases of a technology project? If the phases have been extended or revised — as they often will be — have corresponding changes been made to ensure that time is captured and recorded accurately? n Does the organization use contractors in software devel- opment? If so, how is the contractors’ time captured and recorded? If the accounts payable department is involved with the receipt and coding of contractor invoices, is this process robust enough to ensure full and consistent com- pliance with ASC 350-40? The answers to these questions will help ensure that auditors have considered several angles of a CLA that often go unex- plored or do not receive full consideration until the audit is well underway. Understanding these nuances early on can help ensure adequate staffing and resources for the audit as well as Capitalization of labor audits (CLAs) can be an excellent training ground for internal auditors. In analyzing costs involved in developing internal software, the auditors assigned to the audit team are challenged to think out- side the accounting and technology silos that often exist in an organization and to think critically about interplays between those two areas. Moreover, during a CLA auditors learn to dissect the complex processes that may exist to capture time and that ultimately determine how software expenses are treated and recorded in the company’s gen- eral ledger. This experience can teach auditors to grasp new concepts quickly, identify key risks at the interface of processes, communicate effectively with all levels of man- agement as well as their audit team, and link accounting and technology with value creation. Learning From CLAs (formerly Statement of Position No. 98-1, Accounting for Costs of Computer Software Developed or Obtained for Internal Use). ASC 350-40 provides guidance to ensure that organizations appropriately expense or capitalize the costs associated with creating internal use software. It dictates that only costs incurred during the application development stage can be capitalized. Costs incurred during the preliminary proj- ect and post-implementation stages, and any training costs, must be expensed as incurred. Although adoption of ASC 350-40 has been mandatory since 1998, a CLA remains an intimidating topic for most audit departments. Few audits span the expanse of an organization’s
  • 3. 59 O c t o b e r 2 0 1 0 I n t e r n a l A u d i t o r ca p itali z ati o n o f la b o r a u d it s the timekeeping system and an organization’s ERP system may either be an error on the technology side (with the system feed) or an error on the accounting end (with how the feed is being interpreted by the ERP system). If the CLA team does not fully understand the root cause of the issue and stakeholders from both technology and accounting are not aware of the issue, the audit team’s recommendations may miss the mark, and it may be difficult to receive buy-in from those two departments to remedy the issue adequately. Invoke Privilege If it appears at the outset or during the course of the CLA that the subject of the audit may have legal rami- fications for the organization, the audit team may want to inquire whether the legal department would like to have the audit performed under attorney-client privilege. This may be necessary if auditors determine that the organization has been treating expenses inappropriately, or it becomes necessary to solicit details about the process for the legal department to issue an opinion. Attorney-client privilege is a narrow but important protection that ensures that the audit team can do its work in the confidence that the end result will be used to benefit the organization. Privilege can only be invoked if the CLA is carried out under the direction of an attorney and for the purpose of rendering legal advice to the organiza- tion. Usually, the attorney will provide a memo explaining the information that he or she needs from the CLA, the involve- ment of the legal team, and direction that all materials must be kept confidential. Only documents and communications that are produced and take place after attorney-client privilege is implemented will be protected. THE VALUE OF IT PROJECTS Auditors miss the point if they pursue a CLA simply as a com- pliance endeavor. By critically examining the dynamic interface between business and technology, a CLA provides tremendous insight into the value IT projects provide to the organization. An analysis of the criteria that an organization uses to deter- mine the capitalization and expense of software development projects can reveal whether the organization perceives long- term value from those projects. Such insight can give auditors a clearer picture of the organization’s compliance efforts, its long-term strategic focus, and the interplay of its accounting and technology functions. To comment on this article, e-mail the author at liji.thomas@ theiia.org. give the audit team a clearer picture of how best to tackle both the accounting and technology aspects relevant to the audit. CONDUCTING THE AUDIT A CLA will challenge the audit team to understand how ASC 350-40 links to technology, how the accounting function allocates development costs, and how the organization deter- mines where value is created by IT projects. Given such a bold undertaking, there are a few best practices that auditors should follow in conducting the audit to avoid potential pitfalls. Use an Integrated Audit Team An integrated audit team that includes IT audit specialists can ensure that a CLA tests key risk areas adequately. For example, organizations often use timekeeping systems to track developers’ time spent to cre- ate internal-use software. Audit teams should consider any risks and controls in how these automated systems capture and report time during the development process. The accuracy of the time tracking can mean the difference between being compliant or noncompliant with ASC 350-40. Moreover, if the organization feeds timekeeping data into an enterprise resource planning (ERP) system, adequately analyzing the intersection of these systems may require more than a basic knowledge of technology to determine the root cause of any transmission errors. In such situations, having an IT auditor on the CLA team can be worthwhile. Understand the Audit Objective Auditors should ensure that there is a clear and consistent understanding of the audit objec- tive across the board, from the audit team through the audit client and to all the various stakeholders. The objective is not to deal with expenses and capital items in a way that ensures the best bottom line; rather, the objective is to ensure that software development expenses are appropriately captured and categorized in accordance with ASC 350-40. Put simply, the audit should look at the process as opposed to the profits. For example, capitalizing software development costs as opposed to expensing them may be in the best interest of a company that seeks to boost its net income. But the focus of the audit should not be about boosting the company’s bottom line. Instead, the audit should focus on the process used to determine whether to capitalize or expense development costs and the procedures pursued to ensure costs are recorded in line with the mandates of ASC 350-40. Engage and Communicate With Stakeholders Part of what makes a CLA so engaging is the various departments that are involved. Strict compliance with ASC 350-40 demands involvement and knowledge of both accounting (i.e., the pronouncement and what it means to capitalize costs versus expense) as well as technology (i.e., the SDLC methodology that is used by the particular enterprise and how the phases of software devel- opment comply with the pronouncement). A successful CLA demands a careful look at all the stakeholders who are involved in the decision to capitalize or expense technology costs, from accounting personnel to project managers. Failure to identify and communicate with relevant stakeholders may result in short-sighted audit recommendations or a rejection of the audit recommendations. For example, a transmission error between By critically examining the dynamic interface between business and technology, a CLA provides tremendous insight into the value IT projects yield.