With more than 3,000 filings collected through early April, three-fourths have disclosed that they have adopted the 2013 COSO internal control framework, with the rest either remaining on the 1992 framework or not disclosing what framework they followed.
Based on an ongoing, unpublished analysis of filings through April 3 by consulting firm Protiviti, 2,318 public companies disclosed they have adopted the Internal Control -- Integrated Framework as updated by the Committee of Sponsoring Organizations in 2013. Another 513 companies disclosed they did not adopt the 2013 framework but continued to follow the 20-year-old framework that COSO officially put to rest on Dec. 15, 2014. Protiviti says 201 filings did not contain a disclosure that identified which framework the company was following.
Protiviti also tracked filings by audit firm and found more than half of companies that did not adopt the new framework are clients of KPMG. Of the 513 companies that disclosed use of the 1992 framework, 259 were audited by KPMG, which was one of the earliest firms to openly discuss the possibility that some companies would elect to remain on the old framework in 2014. Behind KPMG, EY had the next largest batch of clients that did not adopt the new framework at 77 companies. PwC had 35 clients that remained with the old framework, and Deloitte had 27.
COSO issued its update of the 1992 internal control framework in May 2013 and indicated it planned to sunset or supersede the old framework on Dec. 15, 2014. The Securities and Exchange Commission did not explicitly require companies to adopt the new framework by the time the old one would cease to exist, but indicated through staff remarks that it expected companies to disclose which framework they followed. SEC staff also indicated they would have questions for companies about the suitability of their framework choice the longer they remained with the old framework.
“I’ve been admiring from afar who did and didn’t transition to the new framework,” says Robert Hirth, chairman of COSO. “I’m glad to see companies heeded our transition guidance.” Hirth points out that there’s no explicit regulatory directive that tells companies they were required to adopt the 2013 framework. “It’s perfectly compliant to use the 92 framework, and KPMG leads the way in terms of their clients not adopting. They said don’t rush, that this is important. About half their client base is not adopting.”
Among smaller public companies that are not required to have an audit of their management assessment of internal controls, the adoption rate is 55 percent, says Hirth. “I thought that was interesting,” he says. “I didn’t have an expectation one way or the other in terms of how many would adopt. I just didn’t know what they were going to do.”