Last year, together with Protiviti, Audit Analytics reviewed the progress of public companies towards adoption of the new 2013 COSO Framework.
Data gathered from fiscal 2015 annual reports shows that the implementation of COSO for audited ICFRs is almost complete: 96% of companies reviewed used the 2013 Framework, in comparison to 82% for fiscal 2014. Only a small portion of companies obtaining an auditor’s assessment on their ICFRs continued to use the 1992 Framework, or did not disclose which framework they used.
We also see an improvement in the adoption rate of the 2013 Framework among issuers with management-only opinions (i.e., those companies that are not required to obtain an auditor’s assessment on the effectiveness of their ICFRs). The number of management-only filers adopting the 2013 Framework increased to 51% in fiscal 2015 reports, from 37% in fiscal 2014.
There still appears to be some inconsistencies in adopting the new framework among management-only companies. While there has been an increase in the number of these companies that have adopted the new framework, there was also an increase in the number of such companies that chose not to disclose the framework they used in assessing the effectiveness of their internal control environments. In fact, there were at least 15 companies that disclosed the use of the 1992 Framework for fiscal 2014, but then did not disclose their fiscal 2015 framework.
Given that the SEC was clear about the importance of this new version, the continued use of undisclosed framework is odd. Accordingly, over 65 issuers have already received comment letters with a request for clarification:
“Management’s Annual Report on Internal Control Over Financial Reporting, page 54
Please revise future filings to clarify which version, 1992 or 2013, of the criteria set forth by the Committee of Sponsoring Organizations of the Treadway Commission’s Internal Control – Integrated Framework you utilized when performing your assessment of internal control over financial reporting.”
If the language of specific framework is unclear or inconsistent with auditor’s report, the SEC notices:
“Management’s Annual Report on Internal control over Financial Reporting and Attestation
Report of Auditor
We note you disclosed in this report that management used the 1992 COSO Framework when evaluating the effectiveness of your internal control over financial reporting. We also note that Management’s Report on Internal control over Financial Reporting provided on page 30 in Exhibit 99.2 disclosed that management used the 2013 COSO Framework when evaluating the effectiveness of your internal control over financial reporting. In the requested amendment, please revise this section to disclose the correct COSO framework your management used to evaluate the effectiveness of your internal control over financial reporting.”
The companies that have received Comment Letters regarding the COSO framework are not limited to smaller issuers, but instead vary in size. For example, 19 companies with market caps ranging from $83 million to $70 billion received such letters.
COSO has indicated that it no longer supports the original version of the Framework released in 1992 and considers it to be superseded by the 2013 version for years ended after December 15, 2014. As Protiviti’s Perspective suggests, it is just a matter of time before all companies use the revised Framework in conjunction with their annual evaluations.