Auditors May Disclose Company's Framework Choice in Audit Reports

Companies choosing to stick with the old COSO internal control framework this year might find a mention of that fact by auditors in the audit report.

Deloitte & Touche recently issued an alert on its observations of the COSO 2013 Internal Control — Integrated Framework adoption saying where companies are not adopting the new framework this year, auditors should indicate in their audit reports exactly what framework was used. “We believe that in a manner consistent with the approach for disclosing the exact COSO framework used in management’s ICFR assessment, it would be appropriate to indicate in the auditor’s report the exact framework used,” the alert says.

Deloitte says it has observed that most companies are moving forward adopting the 2013 framework this year in accordance with COSO’s guidance on transitioning away from the 1992 framework to the new version. COSO updated the framework and released it in May 2013, telling companies the old framework to be considered “superseded” by Dec. 15, 2014. The Securities and Exchange Commission says companies are required to use a “suitable” framework, but they haven’t explicitly said they would consider the 1992 framework unsuitable. The SEC has indicated it defers to COSO’s transition guidance and expects companies to disclose what framework they are using to achieve compliance with Sarbanes-Oxley reporting on internal control over financial reporting.

In its alert, Deloitte says most companies are adopting the new framework because boards, audit committees, and management want to use “the latest guidance and leading practices,” and because the believe investors, bankers, regulators and other stakeholders will expect it. They also do not want to be perceived as lagging their industry peers, the firm says. Deloitte says companies also are citing the new framework’s “clearer explanation” of the components of internal control as a reason for adopting this year.

The alert provides less insight into why some companies might choose not to adopt the new framework this year. “Their decisions were generally based on consultations with a number of stakeholders, including the board, audit committee, and internal and external auditors,” Deloitte says. “Regardless of their decision, companies should clearly disclose in their annual assessment of ICFR whether they used the 1992 framework or the 2013 framework.”

Deloitte also provides a principle-by-principle summary of the implementation difficulties companies have encountered as they perform their gap analyses and update their control environments to reflect the new framework. Trouble spots include tendencies to slip into a check-the-box approach, managing change and its inherent risks, segregation of duties, over reliance on imprecise controls, controls around outsourced service providers, various IT control issues, and control design.