Companies Hesitant on Transition to COSO Revised Framework

When the Committee of Sponsoring Organizations (COSO) updated its widely used internal control framework, it provided plenty of lead time to make implementation easier and it appears that companies are taking advantage of it. Many are holding off on adopting the revised framework for now, instead waiting for more guidance or letting others jump in and take the lead.

Few companies see any advantage to being an early adopter, experts say. Many are waiting until 2014 to dig in. "Most finance organizations are aware of the new COSO Framework, have reviewed the principles and points of focus, at least at a high level, and do not anticipate any major gaps requiring remediation," says Andrew Schweik, director of risk services at Crowe Horwath. "Since the revised framework was issued in May, many companies appear to have taken a 'wait and see. approach."

COSO revised its Internal Control — Integrated Framework to freshen it up after two decades of advances in technology and changes in the business environment. Released in May, the new framework will supersede the old one, effective Dec. 15, 2014. Virtually all public companies rely on the COSO framework to achieve compliance with Sarbanes-Oxley Act reporting requirements on internal control over financial reporting.

Some companies are hoping to leverage lessons learned from other organizations and are hoping for additional SEC guidance, says Schweik. The SEC has long held the COSO framework in high esteem as a method of achieving Sarbanes-Oxley compliance, although it doesn't explicitly require it. SEC Chief Accountant Paul Beswick has said the staff of the SEC will monitor the transition and determine if any guidance is warranted, but it otherwise defers to the COSO board's determination that the old framework will cease to exist on Dec. 15, 2014, suggesting companies would be wise to adapt their controls to the new framework. The SEC's ambiguity, however, has led some companies to hold off, says Schweik.

The timing for transition has been another big point of discussion within companies, says James DeLoach, managing director at consulting firm Protiviti. “A substantial majority of companies are planning to implement in 2014, not 2013,” he says. “I don't know that companies are resisting, but they have a lot of questions about what the SEC will require. We're advising companies that if they really plan to wait, they need to have a plan in place to accommodate that.”

Mike Rose, a partner at Grant Thornton, says he doesn't see a great deal of expectation that the SEC might issue guidance, but instead companies are waiting because they can. “For the most part companies are waiting and taking it slow because there is some time,” he says. He sees some companies going through their gap analysis—lining the new framework against existing controls to see where controls may need adjustments—as part of their 2013 year-end planning. As they go through the process of doing walk-throughs and looking at design and operating effectiveness for this year's reporting, they're also considering where they may have gaps to address next year, he says.

Not all companies are sitting back, however. Mike O'Leary, global internal audit leader for EY, says he sees some diverse approaches. “By and large, the leading-practice companies are being proactive and recognizing this is going to be an important requirement,” he says. Internal control experts say in many cases where companies are adopting the updated framework early, it's because they are planning an initial public offering or a merger or acquisition. At Deloitte, partner Jennifer Burns says she sees companies undertaking a process to assess how well their existing controls cover the 17 principles articulated in the new framework, assessing current processes and documentation to identify gaps, and determining any needed changes.

“You need to really inspect the qualities of a point of focus and not just go down the checklist. Checking the box just gives the impression of doing a quick diagnostic, and that could be a little dangerous.”

—John McLaughlin,

Partner,

BDO USA

Ticking Boxes

As companies dig in, some say they're concerned about the extent to which they might rely on checklists, which became a taboo practice under Sarbanes-Oxley. “If you follow nothing but a check-the-box approach, you're not going to address the spirit of the guidance,” says O'Leary. “You're not going to get a lot of value out of the process.”

John McLaughlin, a partner with BDO USA, says he is cautioning companies about relying too heavily on checklists. “You have to start with some type of checklist just given the sheer numbers,” he says. The framework's five components are explained by 17 principles, which are supported by dozens of points of focus. “That's where the work is really going to occur.”

Sara Lord, a partner at McGladrey, says she's not disturbed so far by anything she's witnessed in the way of checklist reliance. She's a proponent of the implementation tool COSO provided with the new framework that helps companies assess their existing control environment in light of the new guidance. It is a more narrative tool than a checklist, she says, so it doesn't lend itself to a check-the-box mentality. “You need to think about the principle, so you're doing more of a remapping than a checklist,” she says. “It's an exercise of saying what do I have already, and how do I line that up with the principles?”

A SMOOTH TRANSITION

Below COSO offers companies suggestions on making a smooth transition to its new internal control integrated framework.

Source: COSO.

McLaughlin says the guidance is clear that companies need not assert coverage for every point of focus supporting every principle across all controls. “It's not 100 percent coverage,” he says. “But there's safety in numbers. You need to really inspect the qualities of a point of focus and not just go down the checklist. Checking the box just gives the impression of doing a quick diagnostic, and that could be a little dangerous.”

Ultimately, Dhiraj Malhotra, senior manager at EY, says he's hopeful companies will use the implementation exercise as an opportunity to focus on helping management achieve its business objectives as efficiently and effectively as possible. “It's not just about what is the mandatory requirement,” he says. “It's about embracing the framework more broadly. That's what we're seeing at the most innovative companies.”