COSO 2013 Framework Adoption – Strong So Far …

Implementing the updated Committee of Sponsoring Organizations (COSO) Internal Control – Integrated Framework (Framework) during 2014 was an important endeavor for many public companies in their efforts to comply with Section 404 of the Sarbanes-Oxley Act of 2002 (SOX). As background, the Securities and Exchange Commission (SEC) requires companies to use a “suitable framework” as a basis for evaluating the effectiveness of internal control over financial reporting (ICFR), as required by Section 404. The COSO Framework meets the SEC’s criteria for suitability.

COSO has indicated that it no longer supports the original version of the Framework released in 1992 and considers it to be superseded for years ended after December 15, 2014, by the updated version of the Framework completed in 2013. Accordingly, it is just a matter of time before all companies use the revised Framework in conjunction with their annual evaluations of ICFR.

A strong majority of organizations have adopted the revised framework “on time,” with a handful of early adopters leading the way. For almost 1,900 annual reports with fiscal year ends after December 15, 2014, (the date COSO announced its cessation of support of the original 1992 Framework) filed through March 4, 2015,[1] 80 percent had transitioned to COSO 2013. Of the remaining 20 percent:

  • 75 percent (or 15 percent of the total filings) reported their continued use of the 1992 Framework.
  • 25 percent (or five percent of the total filings) did not identify the version of the Framework they used.

It is possible that some of these latter filers may have transitioned to the 2013 Framework and did not disclose they had done so because the transition period had run its course and, therefore, the parenthetical disclosure in the internal control report was considered by these filers to be unnecessary. That said, if any of these filers continued to use the 1992 Framework, their lack of disclosure in their internal control report could pose a concern for the SEC staff. Bottom line, any way the data is cut, we can report that a strong majority of filers have transitioned to the 2013 Framework. As we will report in April in an issue of The Bulletin, for most of these companies the level of effort in consummating the transition was manageable.

The implications of the “on time” transition rate to companies that still must complete their transition is clear. They need to get on with it. We are confident that the strong majority of companies who have transitioned successfully and their experience in consummating the transition process will ensure that the SEC staff will not provide a “free pass” for year ends after December 15, 2015, except perhaps in the most extreme circumstances.

Jim

 

[1] As reported by Audit Analytics® through its internal controls management report and audit report database, available by subscription (www.auditanalytics.com).

One thought on “COSO 2013 Framework Adoption – Strong So Far …

  1. It’s great that you’re publicizing the COSO framework. Small companies with limited IT budgets will have a few people wearing many data security hats. Mentoring these companies as they grow means showing them how to divide data responsibilities among the CTO, CISO, and Chief Data Officer (CDO). I saw different approaches to this solution back in 2014 at Data Connectors’ Tech Security Conference: http://alfidicapitalblog.blogspot.com/2014/12/alfidi-capital-at-data-connectors-san.html

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s