With the original 1992 COSO internal control framework deemed by COSO to be “superseded” as of December 15, 2014, companies are fast approaching the deadline for adoption of the updated 2013 COSO framework, But is it really a deadline? As quoted in this article inCompliance Week, COSO Chair Robert Hirth observes that the “’transition date for U.S.-listed companies is a bit squishy….COSO is not a standard setter or a regulator, so COSO can’t make anyone do anything. So there’s kind of this twilight zone of: when do you do it?’”
As you know, Exchange Act Rule 13a-15 requires that management evaluate annually the effectiveness of the company’s internal control over financial reporting based on a “suitable, recognized control framework.” The original framework, published by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) in 1992, is widely identified by public companies as the framework used by management to conduct this assessment. In 2013, COSO issued an updated Internal Control–Integrated Framework (2013 framework) and related documents, including a compendium of illustrative examples, that was authored by PwC under the direction of the COSO Board. The 2013 framework was designed to preserve the core strengths of the original framework, while enhancing it to “(i) clarify the requirements of effective internal control, (ii) update the context for applying internal control by reflecting many of the changes in business and operating environments, and (iii) broaden its application by expanding the operations and reporting objectives.” When COSO released the 2013 framework, it indicated that the 1992 framework would sunset on December 15, 2014. (See the executive summary for the 2013 framework as well as these news briefs of 5/20/13 and 11/20/13.)
Now, as the December 15 approaches, companies that are finding implementation of the 2013 framework more challenging than originally anticipated are apparently asking their auditors if they might be able to defer adoption. According to the article, in light of the absence of an express regulatory requirement, some auditors are cautiously assenting, as long as the delay, and presumably the reasons for it, are disclosed.
As reported in the article, representatives of KPMG have been recommending that clients take the time to get it right: “’If the company isn’t well into the process already and doesn’t have the resources in place to make the transition in 2014, don’t rush it. The important thing is to ensure a thorough, robust transition process.’ Rather than treating it as merely a compliance-related, check-the-box exercise, the transition to COSO 2013 is ‘an important opportunity to improve the efficiency and effectiveness of the business.’” According to one KPMG partner, “’Companies shouldn’t rush to transition if they’re not prepared for and don’t have the resources to do it….But you can’t be the last man standing in terms of being the only company that hasn’t transitioned.’ In an alert to audit committees summarizing the issue, KPMG related that 35 percent of the 1,600 participants in [a webcast] said they still weren’t sure whether they would complete the COSO implementation in 2014. Nearly 40 percent of participants said their companies had undertaken no significant transition activities at that point in time.” However, a Deloitte partner is taking a different approach, contending that, although late starters have some catch-up work to do, “[p]lenty of time remains to complete the implementation, but the project should be prioritized and staffed to achieve this timing.” It’s worth noting that the views of the other two Big Four firms on this issue were not reported in the article. Representatives of smaller audit firms cited in the article acknowledged that some companies would not be able to transition in time and questioned whether it’s appropriate to view the 1992 framework as suddenly unsuitable “just because the calendar flips to a new date.” Nevertheless, most of these firms appeared to be generally counseling companies to press forward on migration to the new framework.
As the COSO Chair acknowledged above, COSO has no regulatory enforcement authority. But how will regulators with enforcement authority react to companies that delay implementation? Is a framework that has seen its sunset still considered “suitable” and “recognized”? Or, does the flip of a calendar day suddenly make the framework unsuitable? As reported in this earlier Compliance Week article, in a 2013 meeting of SEC staff members with the Center for Audit Quality’s SEC Regulations Committee, the staff said that, while they deferred to COSO’s own remarks regarding timing of the transition, “the longer issuers continue to use the 1992 framework, the more likely they are to receive questions from the staff about whether the issuer’s use of the 1992 framework satisfies the SEC’s requirement for a suitable, recognized framework,” especially after December 15, 2014. In addition, in a 2013 speech, the SEC’s Chief Accountant said “that the staff would monitor the transition and determine whether any SEC action would be necessary or appropriate at some point in the future.” Nevertheless, he “fell short of saying the staff firmly expected all companies to transition to the new framework….” According to KPMG, however, the “SEC has stated that it doesn’t intend to challenge companies—at least in the near-term—that don’t transition by December 15, 2014,” and advises that companies that do not fully transition in 2014 should “be prepared to communicate/disclose that to investors and regulators.”