Many Companies Slow to Implement 2013 COSO Framework

Companies are taking their time transitioning to the 2013 Committee of Sponsoring Organizations of the Treadway Commission (COSO) Internal Control-Integrated Framework, even though the updated guidance is set to take effect after December 15, 2014.

According to a new survey from global consulting firm Protiviti, Keeping Pace with SOX Compliance: COSO, Costs and the PCAOB, 48 percent of the 650 audit executives and professionals surveyed reported that their organization had not yet applied the new framework to their key controls as of the first quarter of 2014.

Of the 52 percent of executives who said their COSO implementation had begun, they noted the effort has increased the amount of resources their organization has devoted to internal control compliance.

Protiviti noted in its survey report that the low compliance numbers may be a reflection of timing, with many companies likely beginning the implementation process this spring or summer. It could also be due to confusion over the required transition period.

“A surprising number of companies underestimate how much time and effort goes into the implementation process to apply the new COSO framework to internal controls,” Brian Christensen, Protiviti executive vice president and leader of the firm’s Internal Audit and Financial Advisory practice, said in a written statement. “Our survey findings suggest a large number of companies are not being attentive enough to these changes and may be behind where they should be in the process.”

According to Section 404 of the Sarbanes-Oxley Act of 2002 (SOX), publicly traded “accelerated filers” must attest that they have an effective system of internal control over external financial reporting, and the US Securities and Exchange Commission (SEC) has allowed such filers to use COSO in making this assessment. The original COSO framework was issued in 1992.

COSO updated its internal control guidance in May 2013, allowing companies to transition to the new framework until December 15, after which time the original guidance will no longer be available. The SEC has noted that it is monitoring the transition by issuers to the new framework as part of its documenting internal control over external financial reporting.

Of the companies that have faced significant changes to their SOX compliance programs, 47 percent pointed to the impact of Public Company Accounting Oversight Board (PCAOB) inspection reports of external auditors that found deficiencies in recent audits of internal controls.

The two SOX compliance areas most affected by the PCAOB inspection reports were:

  1. Testing review of controls (26 percent indicated extensive/substantial impact; 32 percent indicated moderate impact)
  2. IT considerations (25 percent indicated extensive/substantial impact; 30 percent indicated moderate impact)

Protiviti noted that these two areas also ranked highest in terms of additional time and effort required based on the impact, which drives up compliance costs. Nearly half of respondents reported these costs are rising, with 41 percent reporting increases of 20 percent or more – a significant year-over-year jump based on past survey results.

“The PCAOB inspection reports had a tremendous impact on the way companies handled SOX compliance in 2013, and we foresee that continuing,” Christiansen said. “However, the costs are still expected to be manageable going forward, in part because companies are continuing to work to improve their efficiency.”

The following are two other notable survey results, according to Protiviti:

  1. Organizations in which the audit committee has primary responsibility for SOX compliance increased year-over-year between 2013 and 2014 from 11 percent to 18 percent. Conversely, organizations that allow their project management office to be primarily responsible decreased year-over-year from 10 percent to 5 percent.
  2. Automated controls remain powerful tools to ensuring a strong internal control environment, and over time prove not only highly effective, but also efficient. Eighty-three percent of organizations have plans in place to automate either a broad range or selected IT processes and controls.

Related articles:

COSO Issues Updated Internal Control-Integrated Framework, Related Illustrative Documents
Compliance Risks Now a Higher Priority for Auditors
SOX Compliance Survey Shows Need for More Scrutiny on High-Risk Processes

You may like these other stories...

2014 has marked the fifth consecutive year in which the percentage of US-based internal auditors who earned bigger paychecks increased, according to a new study from the Institute of Internal Auditors (IIA).This year, 92...
A new survey from online accounting software provider Xero found that nearly 90 percent of small businesses are forecasting an increase in revenues next year, while 21 percent are expecting growth of more than 100 percent....
Drug patents held overseas can pare makers’ tax billsAs the Obama administration tries to stop companies from avoiding taxes by moving their headquarters overseas, the makers of some of the world’s most lucrative...

Already a member? log in here.

Upcoming CPE Webinars

Oct 9In this jam-packed presentation Excel expert David Ringstrom, CPA will give you a crash-course in creating spreadsheet-based dashboards.
Oct 15This webinar presents the requirements of AU-C 600, Audits of Group Financial Statements (Including the Work of Component Auditors).
Oct 21Kristen Rampe will share how to speak and write more effectively by understanding your own and your audience’s communication style.
Oct 23Amber Setter will show the value of leadership assessments as tools for individual and organizational leadership development initiatives.