Small Business Securities Bulletin: Updated COSO Internal Control Framework

more+
less-

As many of our readers are well aware, SEC reporting companies are required to maintain internal control over financial reporting to ensure accurate financial statements, and to evaluate the effectiveness of the internal control over financial reporting using “a suitable, recognized control framework that is established by a body or group that has followed due-process procedures, including the broad distribution of the framework for public comment.” At present, the only such framework is the Internal Control-Integrated Framework published in 1992 by the Committee of Sponsoring Organizations of the Treadway Commission (“COSO”). In 1992 COSO published its Internal Control over Financial Reporting–Guidance for Smaller Public Companies (SEC reporting companies with a public float below $75 million), which clarified how the 1992 Framework applied to smaller companies.

On May 14, COSO published a new, updated Internal Control-Integrated Framework. The updated Framework has been expanded to be applicable to not just financial reporting, but to compliance and operations as well. While the updated framework retains the five core components of the prior guidance, it now includes 17 principles that support the five components, which companies must assess as part of their internal control review. The 17 principles address operations, reporting and compliance. Thus, under the new Framework, evaluation of internal control over financial reporting may need to be more detailed and/or require additional documentation in order to comply with the updated Framework.

While COSO “believes that users should transition their applications and related documentation to the updated Framework as soon as is feasible under their particular circumstance,” COSO will make the new Framework available through December 15, 2014, “after which time COSO will consider it as having been superseded.” Therefore, in COSO’s view, calendar year-end companies may use the existing Frameworks to evaluate their internal control over financial reporting only for the year ended December 31, 2013. Beginning next year, the updated Framework must be used (according to COSO, its 2009 Guidance on Monitoring Internal Control Systems will continue to be applicable). The SEC, however, has not taken, and has indicated in may not take, a position on whether companies may continue to use the earlier version of the Framework or, conversely, whether it prefers the new Framework. Hopefully there will be some clarity from the SEC on this issue in advance of the transition date.

In addition to the updated Framework, COSO also developed (i) Illustrative Tools for Assessing Effectiveness of a System of Internal Control and (ii) Internal Control Over External Financial Reporting: A Compendium of Approaches and Examples. These publications, as well as the updated Framework, are available for purchase at COSO’s website, www.coso.org. A summary of the updated Framework is available here [PDF] and COSO’s Frequently Asked Questions about the updated Framework is available here [PDF].

We encourage SEC reporting companies to review the updated Framework and related materials and start integrating its processes into their review of their internal control over financial reporting.