Companies are taking their time transitioning to the 2013 Committee of Sponsoring Organizations of the Treadway Commission (COSO) Internal Control-Integrated Framework, even though the updated guidance is set to take effect after December 15, 2014.
According to a new survey from global consulting firm Protiviti, Keeping Pace with SOX Compliance: COSO, Costs and the PCAOB, 48 percent of the 650 audit executives and professionals surveyed reported that their organization had not yet applied the new framework to their key controls as of the first quarter of 2014.
Of the 52 percent of executives who said their COSO implementation had begun, they noted the effort has increased the amount of resources their organization has devoted to internal control compliance.
Protiviti noted in its survey report that the low compliance numbers may be a reflection of timing, with many companies likely beginning the implementation process this spring or summer. It could also be due to confusion over the required transition period.
“A surprising number of companies underestimate how much time and effort goes into the implementation process to apply the new COSO framework to internal controls,” Brian Christensen, Protiviti executive vice president and leader of the firm’s Internal Audit and Financial Advisory practice, said in a written statement. “Our survey findings suggest a large number of companies are not being attentive enough to these changes and may be behind where they should be in the process.”
According to Section 404 of the Sarbanes-Oxley Act of 2002 (SOX), publicly traded “accelerated filers” must attest that they have an effective system of internal control over external financial reporting, and the US Securities and Exchange Commission (SEC) has allowed such filers to use COSO in making this assessment. The original COSO framework was issued in 1992.
COSO updated its internal control guidance in May 2013, allowing companies to transition to the new framework until December 15, after which time the original guidance will no longer be available. The SEC has noted that it is monitoring the transition by issuers to the new framework as part of its documenting internal control over external financial reporting.
Of the companies that have faced significant changes to their SOX compliance programs, 47 percent pointed to the impact of Public Company Accounting Oversight Board (PCAOB) inspection reports of external auditors that found deficiencies in recent audits of internal controls.
The two SOX compliance areas most affected by the PCAOB inspection reports were:
- Testing review of controls (26 percent indicated extensive/substantial impact; 32 percent indicated moderate impact)
- IT considerations (25 percent indicated extensive/substantial impact; 30 percent indicated moderate impact)
Protiviti noted that these two areas also ranked highest in terms of additional time and effort required based on the impact, which drives up compliance costs. Nearly half of respondents reported these costs are rising, with 41 percent reporting increases of 20 percent or more – a significant year-over-year jump based on past survey results.
“The PCAOB inspection reports had a tremendous impact on the way companies handled SOX compliance in 2013, and we foresee that continuing,” Christiansen said. “However, the costs are still expected to be manageable going forward, in part because companies are continuing to work to improve their efficiency.”
The following are two other notable survey results, according to Protiviti:
- Organizations in which the audit committee has primary responsibility for SOX compliance increased year-over-year between 2013 and 2014 from 11 percent to 18 percent. Conversely, organizations that allow their project management office to be primarily responsible decreased year-over-year from 10 percent to 5 percent.
- Automated controls remain powerful tools to ensuring a strong internal control environment, and over time prove not only highly effective, but also efficient. Eighty-three percent of organizations have plans in place to automate either a broad range or selected IT processes and controls.
COSO Issues Updated Internal Control-Integrated Framework, Related Illustrative Documents
Compliance Risks Now a Higher Priority for Auditors
SOX Compliance Survey Shows Need for More Scrutiny on High-Risk Processes