Many Companies Slow to Implement 2013 COSO Framework

Companies are taking their time transitioning to the 2013 Committee of Sponsoring Organizations of the Treadway Commission (COSO) Internal Control-Integrated Framework, even though the updated guidance is set to take effect after December 15, 2014.

According to a new survey from global consulting firm Protiviti, Keeping Pace with SOX Compliance: COSO, Costs and the PCAOB, 48 percent of the 650 audit executives and professionals surveyed reported that their organization had not yet applied the new framework to their key controls as of the first quarter of 2014.

Of the 52 percent of executives who said their COSO implementation had begun, they noted the effort has increased the amount of resources their organization has devoted to internal control compliance.

Protiviti noted in its survey report that the low compliance numbers may be a reflection of timing, with many companies likely beginning the implementation process this spring or summer. It could also be due to confusion over the required transition period.

“A surprising number of companies underestimate how much time and effort goes into the implementation process to apply the new COSO framework to internal controls,” Brian Christensen, Protiviti executive vice president and leader of the firm’s Internal Audit and Financial Advisory practice, said in a written statement. “Our survey findings suggest a large number of companies are not being attentive enough to these changes and may be behind where they should be in the process.”

According to Section 404 of the Sarbanes-Oxley Act of 2002 (SOX), publicly traded “accelerated filers” must attest that they have an effective system of internal control over external financial reporting, and the US Securities and Exchange Commission (SEC) has allowed such filers to use COSO in making this assessment. The original COSO framework was issued in 1992.

COSO updated its internal control guidance in May 2013, allowing companies to transition to the new framework until December 15, after which time the original guidance will no longer be available. The SEC has noted that it is monitoring the transition by issuers to the new framework as part of its documenting internal control over external financial reporting.

Of the companies that have faced significant changes to their SOX compliance programs, 47 percent pointed to the impact of Public Company Accounting Oversight Board (PCAOB) inspection reports of external auditors that found deficiencies in recent audits of internal controls.

The two SOX compliance areas most affected by the PCAOB inspection reports were:

  1. Testing review of controls (26 percent indicated extensive/substantial impact; 32 percent indicated moderate impact)
  2. IT considerations (25 percent indicated extensive/substantial impact; 30 percent indicated moderate impact)

Protiviti noted that these two areas also ranked highest in terms of additional time and effort required based on the impact, which drives up compliance costs. Nearly half of respondents reported these costs are rising, with 41 percent reporting increases of 20 percent or more – a significant year-over-year jump based on past survey results.

“The PCAOB inspection reports had a tremendous impact on the way companies handled SOX compliance in 2013, and we foresee that continuing,” Christiansen said. “However, the costs are still expected to be manageable going forward, in part because companies are continuing to work to improve their efficiency.”

The following are two other notable survey results, according to Protiviti:

  1. Organizations in which the audit committee has primary responsibility for SOX compliance increased year-over-year between 2013 and 2014 from 11 percent to 18 percent. Conversely, organizations that allow their project management office to be primarily responsible decreased year-over-year from 10 percent to 5 percent.
  2. Automated controls remain powerful tools to ensuring a strong internal control environment, and over time prove not only highly effective, but also efficient. Eighty-three percent of organizations have plans in place to automate either a broad range or selected IT processes and controls.

Related articles:

COSO Issues Updated Internal Control-Integrated Framework, Related Illustrative Documents
Compliance Risks Now a Higher Priority for Auditors
SOX Compliance Survey Shows Need for More Scrutiny on High-Risk Processes

You may like these other stories...

Accountants who specialize in forensic and valuation services point to electronic data analysis, or big data, as the most pressing issue they’ll face in the coming months, according to results of a new survey released...
Renaissance avoided more than $6 billion tax, report saysThe Senate Permanent Subcommittee on Investigations said on Monday that a Renaissance Technologies LLC hedge fund’s investors probably avoided more than $6...
Your 15-year-old may be tech-savvy enough to debug your computer, back-up data on your mobile devices, and help you stream episodes of Game of Thrones, but chances are you can’t expect them to display the same level of...

Upcoming CPE Webinars

Jul 24
In this presentation Excel expert David Ringstrom, CPA revisits the Excel feature you should be using, but probably aren't. The Table feature offers the ability to both boost the integrity of your spreadsheets, but reduce maintenance as well.
Jul 31
In this session Excel expert David Ringstrom helps beginners get up to speed in Microsoft Excel. However, even experienced Excel users will learn some new tricks, particularly when David discusses under-utilized aspects of Excel.
Aug 5
This webcast will focus on accounting and disclosure policies for various types of consolidations and business combinations.