Are you in compliance?

Don't miss out! Sign up today for our weekly newsletters and stay abreast of important GRC-related information and news.

Buying Time on COSO’s Internal Control Framework Update.

Tammy Whitehouse | July 29, 2014

With no explicit regulatory mandate to adopt the recently revised internal control framework by the end of 2014, companies sweating the sunset of the old framework are starting to ask: “Can we take another year to work on this?”

Ever so cautiously, auditors are starting to say: “Sure. Just disclose it.”

christensen-brian-updated“People are starting to make that appeal: ‘Is this the year?’” says Brian Christensen, executive vice president at advisory firm Protiviti and leader of its internal audit and financial controls services. “We are starting to see that dialogue increase.”

The 1992 Internal Control — Integrated Framework that virtually every public company in the United States relies on to achieve compliance with the Sarbanes-Oxley Act officially ceases to exist on Dec. 5, 2014. It will be superseded by the 2013 version of the framework updated by the Committee of Sponsoring Organizations, or COSO. The new framework reflects modern business conventions better than its 20-year-old predecessor and more explicitly requires the 17 principles of internal control to be present and functioning before an entity can assert it has adequate control over financial reporting.

COSO set the timeline for the old framework to expire and the new one to take effect, but has no regulatory authority to enforce it. The Securities and Exchange Commission has said it will defer to COSO’s guidance on the sunset of the old framework at the end of 2014, but would expect companies that don’t adopt the new framework to clearly disclose that fact and explain why.

hirth-robert-updatedNow, it seems, companies that are behind in the implementation of the new framework are starting to consider the delay-and-disclose option. “The transition date for U.S.-listed companies is a bit squishy,” says COSO Chairman Robert Hirth. “COSO is not a standard setter or a regulator, so COSO can’t make anyone do anything. So there’s kind of this twilight zone of: when do you do it?”

"COSO is not a standard setter or a regulator, so COSO can’t make anyone do anything. So there’s kind of this twilight zone of: When do you do it?"

Robert Hirth, Chairman, COSO

KPMG is suggesting that companies should take the time they need to implement it properly. During a recent webcast, KPMG partner Sharon Todd said she’s noticing companies that waited until after filing their 10-K to begin the COSO framework implementation are finding the task a bit more daunting than expected. “Those that just started after the 10-K was filed are probably in for a bit of a rude awakening, and are now perhaps reconsidering, if they’re a significant entity or multinational around the world, that perhaps next year might be a better transition date,” she said.

KPMG partner Dennis Whalen said during the same Webcast that the key for companies is to assure their implementation is thorough and robust. “Companies shouldn’t rush to transition if they’re not prepared for and don’t have the resources to do it,” he said. “But you can’t be the last man standing in terms of being the only company that hasn’t transitioned.” In an alert to audit committees summarizing the issue, KPMG related that 35 percent of the 1,600 participants in the Webcast said they still weren’t sure whether they would complete the COSO implementation in 2014. Nearly 40 percent of participants said their companies had undertaken no significant transition activities at that point in time.

Deloitte said companies that started the implementation last year when the new framework was released are on track. “Others who started late have some catch-up work to do,” says Sandy Herrygers, a partner with the firm. “Plenty of time remains to complete the implementation, but the project should be prioritized and staffed to achieve this timing.” EY and PwC did not respond to requests for comment.


Below KPMG offers tips based on the company’s recent Webcast and survey on how best to transition to COSO 2013:

The transition to COSO 2013 may require more time and resources than expected. “Depending on how robust their existing internal control systems are, some companies are going to be surprised by the resources and effort this transition will require.” Some 17% of webcast listeners said they expect the COSO transition to be a “significant” undertaking in terms of time and resources. Others expect the effort to be moderate (47%) or minor (12%), but for a full 24%, time and resource requirements are still unclear. Companies may also be (pleasantly) surprised by internal controls they already have in place—which they may be able to take credit for under COSO 2013: “If your transition process is truly an enterprise-wide effort—which it should be—odds are, you’re going to find internal controls that already map to the updated COSO Framework. Make sure you take credit for those.”

Understand and monitor management’s transition process and timeline. Based on when the company plans to adopt the 2013 COSO Framework, “work backwards from there”: Does management have sufficient time and resources in place to carry out the key transition steps—e.g., gap analysis, mapping of controls to principles, testing and remediation, and documentation? Is internal audit involved as needed? Decide how frequently, and in how much detail, management should update the audit committee on the company’s transition activities (35% of webcast listeners said audit committee updates would be quarterly, and 15% said updates are provided “only at major milestones”).

Our Webcast survey found companies at various stages of their transition: 20% have completed a “preliminary gap assessment and transition plan,” 20% have “mapped their controls to COSO’s 17 principles,” 11% have identified and remediated control gaps, 11% have evaluated their system of internal controls under COSO 2013, and 38% said “no significant transition activities have been undertaken.”

Don’t rush the transition process. “If the company isn’t well into the process already and doesn’t have the resources in place to make the transition in 2014, don’t rush it. The important thing is to ensure a thorough, robust transition process.” Rather than treating it as merely a compliance-related, check-the-box exercise, the transition to COSO 2013 is “an important opportunity to improve the efficiency and effectiveness of the business.” (The SEC has stated that it doesn’t intend to challenge companies—at least in the near-term—that don’t transition by December 15, 2014.) If the company decides not to complete the transition in 2014, be prepared to communicate/disclose that to investors and regulators. About half of webcast listeners said their company plans to complete its COSO transition in 2014 (another 15% said they would not transition in 2014, and 35% were “not sure”).

Source: KPMG.

Delay Implementation?

Bill Watts, a partner at Crowe Horwath, says he’s also hearing some discussion around whether companies can or should consider delaying implementation. He’s been present at audit committee meetings where he’s heard other audit firms counseling committees that they could defer or delay implementation if they see a reason to do so. “Our position at Crowe is you should do it now because you’re running out of time,” he says. “It’s a great opportunity to take advantage of the new aspects of the framework from a risk management perspective, so why wait?”

One good reason for a delay, says Christensen, is if a company is in the midst of a significant merger or acquisition. “M&A activity has spiked up with a strong economy, so there are organizations going through sophisticated combinations,” he says. Implementations of enterprise resource planning systems might also make it difficult to implement a new internal control framework simultaneously, he says. “Those are good reason, we believe, that indicate the control environment is in a state of change, so the focus is on getting that completed and continuing with the prior framework.”

McGladrey isn’t telling companies to take their time, but partner Sara Lord sees the movement and understands it. “There’s some evidence out there saying you do need to do this and take it seriously,” she says. “But there will be some companies that just don’t make it through.” Some are asking if the 1992 framework will suddenly become unsuitable to meet the reporting need just because the calendar flips to a new date, she says. “It’s a logical question, so that would be an argument to be made,” she says.

Mark Kultgen, another partner with McGladrey, says it’s possible some companies won’t get it done simply because they don’t have the staffing capacity. “I have yet to see a company that doesn’t want to migrate to the 2013 framework, but there is effort involved,” he says.

Lord emphasizes if companies decide not to adopt the framework this year, it will be important to communicate it to auditors so they can test controls accordingly. “Our audit standard is such that we audit to the framework management is using,” she says. “If they assert they are using the 1992 framework, we will audit to that. We can do that.”

Mike Rose, a partner with Grant Thornton, says he’s not hearing a word about any slowdown in adopting the new framework. “I’m seeing across the board full steam ahead,” he says.

Order a Reprint