Regulators are not requiring companies to follow the new COSO framework even though the 1992 version is being retired later this year. While we encourage companies to adopt the new internal control framework and most of them have begun the process, the lack of an explicit mandate still has some dragging their feet.
For now, the Securities and Exchange Commission staff have said they are keeping a close watch on which framework companies will be following. During this upcoming transitional year of reporting, they won’t be questioning companies that haven’t migrated to the new framework even after the old one is superseded as of December 15, 2014. As it is, the Committee of Sponsoring Organizations of the Treadway Commission has given organizations a fair amount of time to make the move before the preceding 20-year-old guidance is no longer available.
Still, some companies delayed starting their transition until after their 2013 10K and 2014 first quarter 10Q were filed. By the time fiscal year-end 2014 filings are submitted, not all public companies will have been able to say they follow the more modern framework, as COSO had hoped they would.
If you fall into that camp, it might be too late to make the transition for fiscal year 2014. Making the move is different for each company. Let’s say you’ve followed best practices for internal controls, then you may only need to map your existing internal controls to the new framework. In that situation, your internal controls have been effective for the year and can be relied upon, and your transition is done. However, if you don’t fall into this category, there will be more time involved (how much time and resources will be required depends on the current state of your internal controls). At this point, it also means that the new controls put in place for the new framework have not been effective for the first eight months of the year, and therefore, reliance on these controls will be in question.
We’re not trying to make you feel bad. Procrastination—for whatever reason—happens. What really matters is what you do now. While the ideal path would have been to make your COSO transition sooner rather than later, this could also be the time if you haven’t started at all to begin the evaluation of the new COSO framework for fiscal year 2015.
Where to begin
If you have read the new framework, you will have noticed that it has 17 new principles for internal control, and within each of those principles, there are specific points of focus. The points of focus do help with identifying controls within your organization. Most of these internal controls will exist in your entity level controls. Entity level controls address those controls that apply across the organization, and most of the new principles are aimed at those internal controls that reside at the organizational level.
If you haven’t reviewed the 17 new principles and their corresponding points of focus, you should really start to familiarize yourself with them. Any controls identified that only need to be documented, improvements to existing controls, or the addition of new controls do need to be in place and working in order to be able to rely on them. Any of the controls you add or modify under the new framework should be in place and in working order. Otherwise, they cannot be relied upon.
Based on those companies that have already mapped their entity level controls to the new framework, here’s what will likely happen. We have seen our clients experience a combination of three possible outcomes:
- They need to take credit for what they already do, as their latest evaluation shows the control is already in place but not currently identified as an internal control. This involves formalizing the control and documenting it.
- They work on improving a control that already exists in order to make sure it covers the points of focus within the framework.
- They add a new control. This is the one that requires more time. You will need to get agreement from the organization that the control needs to be added, confirm that the control is documented accurately and will be performed, and then be able to test early enough to allow time to remediate the control in case something goes wrong.
If your company has been following best practices with identifying internal controls within its entity level controls, then you will likely see the transition to the new framework follows items 1 and 2 above. This will take time for documentation, but the controls are already being performed and additional training will not be needed.
However, if you haven’t been following best practices for internal controls as closely as you could have been, then you might find yourself working with all three points above. Item 3 does entail additional time and training that could go beyond the finance department. The sooner you start this process, the sooner you will position yourself to be prepared to make the switch.
With all of this said, if you are choosing to not migrate to the new COSO framework now, you will at the very least have to document your reasoning as to why you think your internal controls are sufficient as is. In addition, you will have to make sure your external auditors are in agreement with your rationale. In my opinion, it would be prudent to keep in mind that at some point, the new COSO framework will be required. Nobody wants to be caught without the time, resources, or remediation runway when that requirement is made.
Tracy Thames has been a member of the RoseRyan dream team since 2008. She excels at SOX, internal audit, accounting management and project management.