Last year, together with Protiviti, Audit Analytics reviewed the progress of public companies in adopting the 2013 COSO Internal Control -- Integrated Framework.
Data gathered from fiscal 2015 annual reports show that the implementation of the COSO framework for audited internal control over financial reporting is almost complete: 96 percent of companies reviewed used the 2013 Framework, in comparison to 82 percent for fiscal 2014.
Only a small portion of companies obtaining an auditor’s assessment of internal control continued to use the now superseded 1992 framework or did not disclose which framework they used.
We also see an improvement in the adoption rate of the 2013 framework among issuers with management-only opinions, or those companies that are not required to obtain an auditor’s assessment on the effectiveness of their ICFR. The number of management-only filers adopting the 2013 framework increased to 51 percent in fiscal 2015 reports from 37 percent in fiscal 2014.
There still appear to be some inconsistencies in adopting the new framework among management-only companies. While there has been an increase in the number of these companies that have adopted the new framework, there was also an increase in the number of such companies that chose not to disclose the framework they used in assessing the effectiveness of their internal control environments. In fact, there were at least 15 companies that disclosed the use of the 1992 framework for fiscal 2014, but then did not disclose which framework they followed in fiscal 2015.
Given that the SEC was clear about the importance of this new version, the continued use of an undisclosed framework is odd. Accordingly, more than 65 issuers have already received comment letters with a request for clarification like this one:
“Management’s Annual Report on Internal Control Over Financial Reporting, page 54: Please revise future filings to clarify which version, 1992 or 2013, of the criteria set forth by the Committee of Sponsoring Organizations of the Treadway Commission’s Internal Control – Integrated Framework you utilized when performing your assessment of internal control over financial reporting.”
If the language regarding the specific framework is unclear or inconsistent with the auditor’s report, the SEC provides these kinds of comments as well:
“Management’s Annual Report on Internal control over Financial Reporting and Attestation Report of Auditor: We note you disclosed in this report that management used the 1992 COSO Framework when evaluating the effectiveness of your internal control over financial reporting. We also note that Management’s Report on Internal control over Financial Reporting provided on page 30 in Exhibit 99.2 disclosed that management used the 2013 COSO Framework when evaluating the effectiveness of your internal control over financial reporting. In the requested amendment, please revise this section to disclose the correct COSO framework your management used to evaluate the effectiveness of your internal control over financial reporting.”
The companies that have received comment letters regarding the COSO framework are not limited to smaller issuers, but instead vary in size. For example, 19 companies with market caps ranging from $83 million to $70 billion received such letters.
COSO has indicated that it no longer supports the original version of the framework released in 1992 and considers it to be superseded by the 2013 version for years ended after December 15, 2014. As Protiviti’s Perspective suggests, it is just a matter of time before all companies use the revised framework in conjunction with their annual evaluations.