A handful of holdouts are still disclosing they comply with the internal control reporting requirements of Sarbanes-Oxley by following a defunct control framework.

According to an analysis by Audit Analytics, two public companies that are subject to an audit of internal control disclosed in 2017 that they are following the 1992 version of the Internal Control — Integrated Framework authored by the Committee of Sponsoring Organizations. Southern Missouri Bancorp Inc. is one of those companies, which disclosed in its 2017 Form 10-K that it is still following the COSO 1992 framework to comply with Sarbanes-Oxley.

An accelerated filer with a June 30 year-end, Southern Missouri Bancorp also disclosed in its 2018 10-K that it complies with the internal control reporting provisions of SOX following the now-defunct 1992 framework. The company’s auditor, BKD, reported that the company maintained effective control in both years.

Virtually all public companies listed on U.S. exchanges follow the COSO framework to comply with Sarbanes-Oxley. COSO updated its internal control framework in 2013 to reflect changes in the business environment over two decades and to more explicitly articulate the principles of sound internal control. As it urged companies to transition to the new framework, COSO put its 1992 framework out to pasture.

The Securities and Exchange Commission has not stated an explicit requirement for public companies to update to the 2013 framework, but it requires companies to follow a suitable framework and it has said the COSO framework is suitable for that purpose. SEC staff indicated in various public forums that it expected companies to disclose what framework they were following, especially if they planned to hang on to the old framework, and they would begin questioning companies that did not update their controls.

O2Micro International Ltd. is the second filer to specifically name the defunct 1992 COSO framework as its means of compliance with internal control reporting. Based in the Cayman Islands with most of its operations abroad, especially in China, the company files Form 20-F with the SEC. Its auditor, Deloitte & Touche in China, says the company maintained effective control at the end of 2017. The company also disclosed in a prior filing it had paid fees to Deloitte to assist with a transition to the 2013 framework.

According to Audit Analytics, only 70 percent of public companies that are not subject to an audit of internal control under Sarbanes-Oxley disclosed in 2017 that they follow the 2013 framework. Among the other 30 percent, companies typically disclosed they were following the COSO framework without specifying which version or if they were following the 1992 framework. Some did not say which framework they utilized.

In addition to the two larger companies citing the 1992 framework, Audit Analytics also identified six companies that were not specific about which COSO framework they follow or followed a different framework entirely. BP, for example, based in London, says it complies with internal control requirements by following a framework approved by the U.K. Financial Reporting Council.

The SEC has brought a few enforcement actions that focused on allegations only of internal control failures, not accounting failures. Most recently, the SEC settled an action with construction firm Primoris Services Corp. over control deficiencies that eventually led to revenue misstatements. The SEC says Primoris learned in late 2014 it had control deficiencies that affected its accounting for contingent cost estimates, eventually causing revenue to be reported in the wrong quarters on three long-term projects.

“When it evaluated the effectiveness of its ICFR for the year, however, Primoris failed to properly assess the potential magnitude of the accounting misstatements that could have resulted from those control deficiencies because it only considered errors actually identified and did not consider either the total volume of activity, or the entire class of transactions, exposed to the control deficiencies,” the SEC wrote in its enforcement release. The emphasis on “could have” is contained in the SEC release.

Primoris is a smaller public company that is exempt from the requirement under Section 404(b) of Sarbanes-Oxley to submit its management report on the effectiveness of internal control to an audit. That doesn’t mean, however, that auditors ignore internal controls. Auditors are still required to consider internal controls during their financial statement audits.