By now, every company should be using the COSO 2013 Framework in conjunction with their annual evaluations. In updating last year’s analysis, we discovered otherwise. Although the original version of the framework released in 1992 was superseded by the 2013 version effective for years ended after December 15, 2014, there are still a surprising number of companies who have not made the change.
Similar to last year, nearly all companies with audited ICFR reports use the new framework, while companies with management-only reports are still straggling.
In 2016, 99% of the audited ICFR reports relied on the 2013 Framework – an increase from 82% in 2015. This leaves only 19 companies that have not completed implementation.
On the other hand, when it comes to issuers with management-only opinions, only 63% have disclosed the use of the 2013 Framework.
While there is clear improvement from last year (up from 51% from 2015), we are not sure why more than one-third of the companies are not using the new framework. Further analysis of management-only reports by NYSE, NASDAQ and AMEX companies, provided an interesting finding.
Companies that used the 1992 Framework or did not disclose which framework was used were more likely to disclose SOX 404 ICFR weaknesses in their 2016 reports. The median market cap and revenue of these companies tend to be slightly smaller than those companies that use the 2013 Framework, however, size alone is unlikely to explain such a discrepancy in the rate of ineffective reports.
Our findings suggest that the 2013 Framework adoption rate and ICFR effectiveness are strongly correlated. One possible explanation is that companies with ineffective ICFR simply do not have the resources needed to either adopt the new framework or to remediate the ICFR weaknesses. Controls that are not effective under the 1992 Framework are going to be just as ineffective once the more rigorous 2013 Framework is used.
The number of companies with ineffective controls and lack of framework disclosure is not large enough to draw strong conclusions. Yet, even if controls were determined to be effective, we would think that omitted framework disclosure sends a negative message to investors.