The Financial Accounting Standards Board (FASB) recently issued a proposal to clarify how to account for the costs of setting up business software packages that are managed in the cloud. If finalized, the proposal would let more of the costs of implementing a cloud computing contract be spread over the contract’s life.
Reporting Hosting Arrangements
In April 2015, the FASB published Accounting Standards Update (ASU) No. 2015-05, Intangibles — Goodwill and Other — Internal-Use Software (Subtopic 350-40): Customer’s Accounting for Fees Paid in a Cloud Computing Arrangement. The updated guidance helps businesses evaluate whether a cloud computing (or hosting) arrangement includes an internal-use software license.
When a hosting arrangement doesn’t include such a license, the arrangement must be accounted for as a service contract. This means businesses must expense the costs as incurred.
On the other hand, when the arrangement does include such a license, the customer must account for the software license by recognizing an intangible asset. To the extent that the payments attributable to the software license are made over time, a liability is also recognized.
The amendments in ASU No. 2015-05 didn’t address the accounting for the costs incurred to implement a service contract for a hosting arrangement, however.
Focusing on Implementation Costs
Over the last three years, companies have increasingly rejected servers installed at their premises in favor of cloud-based solutions. But the costs to set up the cloud services can be significant, and many companies would prefer not to immediately expense these setup costs.
In March 2018, the FASB issued Proposed ASU No. 2018-230, Intangibles — Goodwill and Other — Internal-Use Software (Subtopic 350-40): Customer’s Accounting for Implementation Costs Incurred in a Cloud Computing Arrangement That Is a Service Contract; Disclosures for Implementation Costs Incurred for Internal-Use Software and Cloud Computing Arrangements.
Businesses told the FASB that they see no economic difference between a contract that includes a license to run the software locally and a contract to have the application run on the cloud. So, they wanted to use similar accounting treatment for both types of contracts. As a result, the proposal would require consistent reporting for implementation costs for 1) a hosting arrangement that’s a service contract, and 2) developing or obtaining internal-use software (that a company runs on its servers or servers operated by a third party).
If the proposed changes are finalized, a customer in a cloud computing contract would have to include in the footnotes to its financial statements information about the software it purchases. The accounting for the service element of the hosting arrangement wouldn’t be affected by the proposed amendments.
Under the proposal, companies should refer to Accounting Standards Codification (ASC) Subtopic 350-40 on internal-use software to determine which implementation costs associated with a service contract for a cloud computing arrangement can be capitalized as an asset. The costs that can be capitalized will be treated as long-term assets and amortized over the life of the arrangement — not booked as an expense at the contract’s outset.
Expenses for developing or obtaining internal-use software that can’t be capitalized under the rules for intangibles — such as the costs for training and data conversion — wouldn’t be capitalized for a hosting arrangement that’s a service contract. The customer in the hosting arrangement would determine which of the three stages an implementation activity relates to:
- The preliminary project stage,
- The application development stage, or
- The post-implementation stage.
Implementation costs at the application development stage would be capitalized depending on their nature. But costs that are incurred during the preliminary project and post-implementation stages would be expensed as the activities are performed.
The amortization period would generally be the term of the hosting arrangement. This would include the noncancelable period of the arrangement, plus periods covered by any options to:
- Extend the arrangement if the customer is reasonably certain to exercise that option,
- Terminate the arrangement if the customer is reasonably certain not to exercise the termination option, and
- Extend (or not to terminate) the arrangement in which exercise of the option is in the control of the vendor.
Customers would need to reassess the estimated term of the arrangement periodically and account for any change in the estimated term as a change in accounting estimate.
The FASB is asking for public comments by April 30. Right now, no effective date has been set. Once its Emerging Issues Task Force (EITF) has an opportunity to review the feedback, the FASB will announce the next steps for this project and, if finalized, when the changes will go into effect.
Auditors Evaluate Cloud Computing Risks
Cloud computing is reshaping the storage of critical business information, including sensitive personal data of customers and employees. Similar to paper files, the cloud may bring considerable security risks — but risks associated with the cloud might not be readily understood by some business owners and executives.
External auditors have added the evaluation of cloud computing risks to their overview risk assessment. During audit procedures, they’re likely to ask questions about your company’s policies and procedures for storing and accessing data on the cloud. Examples include:
- What have you done to protect electronically stored data against hackers?
- Has your staff been trained about cloud computing security, including the dangers of opening phishing emails, sharing passwords and accessing company data in public places, such as coffee shops and airports?
- Do you have insurance to protect against and respond to cyberattacks or other cloud outages? (This coverage is usually supplemental to your business liability policy.)
- How often does your cloud computing provider back up the information it’s storing?
- How will you and your cloud provider respond if data is stolen by a third party, a cloud company employee or one of your employees?
- What’s your backup plan if the cloud goes down? Do you have a “backup cloud”?
- How much would a cyberattack or outage cost your company on a per-minute basis?
- What is your cloud computing vendor’s service-level commitment (typically stated as a percentage of the year)? And how does this commitment translate in terms of potential minutes of downtime for the year?
- How did the vendor’s service-level commitment compare to your actual downtime for the previous year?
- Do you have a service-level agreement that documents the availability of your data and the penalties if the data becomes unavailable?
- Does your company have a policy for transferring (and disposing of) data if you decide to switch cloud computing providers?
It’s a smart business practice to think about these questions before your auditors ask them. If you don’t know one of the answers — or if your answers are lacking — make it a priority to reinforce data security as soon as possible. Securing the cloud should be a proactive process, not a reactive one. Failing to identify potential pitfalls that are inherent in a cloud computing relationship can result in unexpected costs that can far exceed the short-term cost savings of operating on the cloud.
If you have any questions, please contact a Briggs & Veselka representative at (713) 667-9147.