I was surprised – and a bit concerned – at the results of a recent Protiviti study that looked at planned implementation of the revised COSO framework.
In our 2014 Sarbanes-Oxley Compliance Survey, we asked companies how far along they were in transitioning to the updated framework. A surprising number said they hadn’t made much progress. I’m hoping it was a timing issue. The framework was released in May 2013; we conducted the survey in early 2014, which may have been too early in the transition process to provide an accurate gauge as to where companies really are.
That said, the numbers are interesting, and we’re continuing to track this issue as 2014 progresses. I believe that companies should understand the level of effort required to implement the new control framework. Our experience is that for some companies, there may be a significant amount of work required to complete the transition. For others, the effort is not as much – particularly if their existing risks and controls documentation is up to date.
The COSO Board has stated that users should transition to the updated framework as soon as it is feasible given their particular circumstances. COSO will continue to make available the original 1992 framework through December 15, 2014; after this date, it will consider the framework superseded. This suggests that calendar-year companies must transition to the updated framework no later than calendar year 2014, while companies reporting on a non-calendar-year schedule would be expected to complete their transition at their first year-end following December 15, 2014. That said, there are unmistakable signs in the marketplace that some companies are not planning to meet this timetable for purposes of complying with Sarbanes-Oxley Section 404.
This is not a surprise. COSO is not a regulator, therefore it cannot mandate actions by issuers. However, as time goes on, it will be difficult for an issuer to take the position that the superseded 1992 version of the COSO framework qualifies under the SEC’s criteria as a “suitable framework” for purposes of complying with Section 404 of Sarbanes-Oxley. The SEC has elected not to rule on this matter as it has far bigger irons in the fire, but SEC staff has said they will watch developments on this front closely and monitor the transition for issuers continuing to use the 1992 framework, to evaluate whether and if any further action is appropriate at some point in the future.
We encourage companies to complete the transition in accordance with COSO’s guidance. For those companies choosing to defer the transition, we encourage them to consult with legal counsel and with their accounting firm and review their decision and supporting rationale with the audit committee. In addition, we recommend that they be prepared for a comment letter from the SEC. While we don’t think the SEC staff will issue a comment letter for 2014 calendar-year companies (but who really knows?), the risk clearly increases with the passage of time. If the company receives advice from the external auditor that it can delay the transition until next year, management should inquire of the auditor if the audit staff will use the principles and points of focus provided by the 2013 new framework in auditing the effectiveness of ICFR of audit clients electing to continue using the 1992 framework.
With respect to the level of effort, the most significant change in the new framework is the explicit articulation of 17 principles representing the fundamental concepts associated with each of the five components of internal control. Given the stakes, I’d expect most organizations to have already responded with a project-management-type approach to the transition, designating roles, responsibilities and authorities to proceed with the transition plan to the new structure provided by the updated framework.
My colleague Brian Christensen, the global leader in Protiviti’s Internal Audit and Financial Advisory practice, recently said that “a surprising number of companies underestimate how much time and effort goes into the implementation process to apply the new COSO framework to internal controls. The survey findings suggest a large number of companies are not being attentive enough to these changes and may be behind where they should be in the process.”
I hope your organization isn’t one of them. If it is, there’s guidance available. Protiviti has published extensive guidance on the new framework, what it means and how to start implementing it. Especially valuable is the Third Edition of Protiviti’s “Frequently Asked Questions” document. We also have hosted a series of webinars on the new framework, recordings of which are available here.
Implementing the new COSO framework could represent a major undertaking for the issuer community accessing the U.S. capital markets; I hope your enterprise is well on its way as the end of 2014 is on the horizon. And whether you are or not, let us know how you are handling or planning the transition.