Professional Documents
Culture Documents
RISKFACTOR REPORT
The 2016 BDO Retail RiskFactor Report examines the risk factors in the most recent 10-K filings
of the largest 100 publicly traded U.S. retailers; the factors are analyzed and ranked by order of
frequency cited.
ABOUT BDO
BDO is the brand name for
BDOUSA,LLP, a U.S. professional
services firm providing assurance, tax,
advisory and consulting services to
a wide range of publicly traded and
privately held companies. For more
than 100 years, BDO has provided
quality service through the active
involvement of experienced and
committed professionals.The firm
serves clients through 63 offices
and more than 450 independent
alliance firm locations nationwide.
As an independent Member Firm
of BDO International Limited, BDO
serves multi-national clients through
a global network of 1,408 offices in
154countries.
BDO USA, LLP, a Delaware limited
liability partnership, is the U.S.
member of BDO International
Limited, a UK company limited
by guarantee, and forms part of
the international BDO network of
independent member firms. BDO
is the brand name for the BDO
network and for each of the BDO
MemberFirms.
For more information please visit:
www.bdo.com.
2015
2014
#1
100%
#1
100%
#1
100%
#1t
100%
#4t
99%
#8
91%
#3
98%
#1t
100%
#3
98%
#4
96%
#1t
100%
#2
99%
#5
94%
#7
96%
#13
87%
#6
93%
#4
99%
#7
92%
#6t
93%
#6
98%
#4
96%
Legal Proceedings
#6t
93%
#9t
95%
#8t
91%
#9
91%
#7t
96%
#5
94%
#10
90%
#12t
92%
#17
78%
#11
88%
#9
95%
#6
93%
#12
87%
#15
89%
#8t
91%
#13
85%
#11
94%
#11
89%
#14
82%
#12
92%
#11t
89%
#15
76%
#14
90%
#13t
87%
International Operations
#16
73%
#17
86%
#15
80%
#16t
73%
#19
80%
#16
79%
#18
66%
#25
68%
#24
64%
#19
62%
#27
65%
#23
65%
Joint Ventures
#20
61%
#21
76%
#18
74%
Mandating EMV chip-compliant payment systems is an important first step in shoring up the
industrys cyber defenses, but its just the tip of the iceberg. Online and mobile transactions
remain vulnerable to credit card fraud and identity theft, and POS systems can still be hacked
and provide an access point to retailers networks. New forms of malware can also compromise
retailers IT infrastructure and disrupt business operations. Every retailer will experience a data breach at some
juncture; the real question is what mechanisms have been put in place to mitigate the impact.
Shahryar Shaghaghi, National Leader of the Technology Advisory Services practice group
and Head of International BDO Cybersecurity
3
Spotlight on Cybersecurity
Targets massive data breach at the end of 2013 is arguably the event that woke up the world
to cyber. A sophisticated malware attack on the retailers POS system enabled the hackers to
steal credit card information from more than 70 million shoppers, making it one of the largest
retail hacks ever. Shortly thereafter, Home Depot and eBay were breached, to the tune of 53
million and 145 million compromised records respectively.
These headline-making cyberattacks may have shed light on
retailers vulnerability to data breaches, but the industrys
response has done little to deter hackers. According to
Verizons 2015 Data Breach Investigations Report, retailers
saw an average of 801 malware events per week in 2015,
the second-highest volume of attacks, surpassed only by
the frequency of attacks on educational institutions. And
while the majority of retail cyber incidents are the result of
point-of-sale intrusions, cybercriminals have expanded their
arsenal to include denial of service (DoS) and distributed
denial-of-service (DDoS) techniques, among other forms
ofmalware.
What steps can retailers take to avoid becoming the
next target? Prevention is only one component of
cyber preparedness. Expect to get hit, and know how
youllrespond.
Adopt a cybersecurity framework: The Retail
Industry Leaders Association has expressed
support for industry adoption of the National
Institute of Standards and Technology (NIST)
Cybersecurity Frameworka risk-based set of industry
standards and best practices aimed at reducing and
better managing cyber risks. While not a one-size-fits-all
solution, the NIST framework provides a basic roadmap
for retailers to assess their organizations cyber readiness,
identify and prioritize vulnerabilities according to risk
tolerance and criticality, and implement activities to support
corefunctions.
Protect the POS system: POS systems remain
the most common entry point for cybercriminals.
EMV chips offer more sophisticated
authentication technology, cutting down on
fraudulent credit card transactions. However, retailers
need an additional layer of security for the cardholders
information after the transaction is in the system. Build IT
firewalls that make it possible to isolate the POS system
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
Looking Forward
Nearly every year we add new risk factors
to our research, as new challenges arise for
the retail industry, and disclosures become
more detailed. One area weve been
watching closely is the regulatory space.
Federal, state and local regulations has
been a top 10 risk factor since the beginning
of our study, but as landmark legislation
like Dodd-Frank and the Affordable Care
Act have been implemented, weve seen
sentiment change in the retail industry.
More recently, a renewed focus abroad
and growing enforcement of corruption
and bribery laws have sparked greater
concern over compliance with the Foreign
Corrupt Practices Act (FCPA). Accounting
and financial reporting compliance risk
also appears to be increasingly prevalent
among the nations largest retailers.
Changing practices for both public and
private companies, spurred recently by
the newly issued standards for revenue
recognition and lease accounting, are just
beginning to be noted in 10-K filings, but
we expect those concerns to rise as retailers
prepare and plan for implementation in the
comingyears.
2008
2009
2010
2011
2012
2013
2014
2015
2016
Lease Accounting
The FASBs new lease accounting standard, ASU 2016-02,
Leases (Topic 842), was issued on Feb. 25, 2016, and is
designed to bring greater transparency on companies lease
assets and liabilities. The new standard, which is effective
for fiscal years beginning after Dec. 15, 2018, for public
companies, and Dec. 15, 2019 for private companies, including
interim periods within those fiscal years, requires:
LESSEES: to record a Right of Use (ROU) asset and a lease liability on the balance
sheet for all leases with terms longer than 12 months. Leases will be classified as
either finance or operating, with classification affecting the pattern of expense
recognition in the income statement. A modified retrospective transition approach
is required for lessees for capital and operating leases existing at, or entered into
after, the beginning of the earliest comparative period presented in the financial
statements, with certain practical expedients available.
LESSORS: to classify leases as either sales-type, finance or operating. A lease will
be treated as a sale if it transfers all of the risks and rewards, as well as control of
the underlying asset, to the lessee. If risks and rewards are conveyed without the
transfer of control, the lease is treated as a financing. If the lessor doesnt convey
risks and rewards or control, an operating lease results. A modified retrospective
transition approach is required for lessors for sales-type, direct financing, and
operating leases existing at, or entered into after, the beginning of the earliest
comparative period presented in the financial statements, with certain practical
expedients available.
The retail sector will arguably experience the greatest impact of the new lease
accounting standard, as they largely rely on leasing for their operations. The
lease accounting standard is expected to influence key performance metrics and
potentially real estate strategy.
There are three critical things that retailers need to do to prepare for the new lease accounting
standard. They need to take the time to fully understand the new rules impact on their businesses,
make sure investors are educated about forthcoming metric and financial reporting changes, and
assess the need for shifts in their overall real estate strategies and management systems. Its
important for retailers to think about the bigger picture economics of their lease obligations beyond just the
accounting.
Stuart Eisenberg, partner and leader of BDOs Real Estate and Construction practice
7
2016
2015
100%
2014
2013
80%
60%
40%
20%
0%
Inflation/
Deflation
Financial Market
Turmoil
Interest Rates
Unemployment
Currency Risk
Housing Market
A third of the largest retailers are concerned with enforcement of, and compliance with,
anti-corruption and bribery regulation this year, and the stakes have never been higher. We
are seeing unprecedented international regulatory coordination and a greater emphasis on
individual accountability for corporate misconduct, as articulated by the Yates Memo. The bar
for cooperation credit has also been set much higher, with new guidance on self-disclosure and remediation
clarifying requirements. The retail industry is far from immune to bribery and other forms of corruption.
Retailers should re-evaluate their internal compliance programs and internal investigation protocols to account
for the new standards.
Glenn Pomerantz, partner and leader of BDOs Global Forensics practice
ISSY KOTTON
Los Angeles
310-557-0300 / ikotton@bdo.com
JENNIFER DI GIOVANNI
Los Angeles
310-557-8274 / jadigiovanni@bdo.com
MIKE METZ
Minneapolis
952-656-2612 / mmetz@bdo.com
AL FERRARA
New York
212-885-8000 / aferrara@bdo.com
RICK SCHREIBER
Memphis
901-680-7607 / rschreiber@bdo.com
DOUGLAS HART
San Francisco
415-490-3314 / dhart@bdo.com
ALAN SELLITTI
New York
212-885-8599 / asellitti@bdo.com
NATALIE KOTLYAR
New York
212-885-8035 / nkotlyar@bdo.com
TED VAUGHAN
Dallas
214-665-0752 / tvaughan@bdo.com
Stay up to date on industry news and trends by following the Consumer Business practice @BDOConsumer or
checking out the Consumer Business Compass Blog.
CONTACT US:
FIRST NAME
LAST NAME
PHONE
SUBJECT
MESSAGE
SUBMIT
Material discussed is meant to provide general information and should not be acted on without professional advice tailored to your firms individual needs.
2016 BDO USA, LLP. All rights reserved.