By now, most companies have begun to transition from The Committee of Sponsoring Organizations of the Treadway Commission (COSO) 1992 Internal Control—Integrated Framework to the updated COSO 2013 framework. In fact, many companies included a statement regarding their transition status under Controls and Procedures (Part I, Item 4) in their most recent Form 10-Qs.

Now that the December 15, 2014 COSO 2013 “deadline” is upon us and 2014 audits will start up soon, it’s time to update where you are in the transition process and reconsider why you should care.

A brief background…

The SEC requires that each company adopt a “suitable framework” for compliance with the Section 404 internal control provisions of the Sarbanes-Oxley Act. Furthermore, Regulation S-K Item 308(a)(2) requires that Management’s Report on Internal Control Over Financial Reporting identify the framework used by management to evaluate the effectiveness of the company’s ICFR. It is standard practice for that report (and the independent auditor’s attestation) to reference the COSO framework.

COSO deems COSO 1992 to be superseded by COSO 2013 on December 15, 2014 and encourages companies to transition to the new framework “as soon as is feasible.” (See this Executive Summary and these Frequently Asked Questions.)

The SEC staff’s current thinking…

Certainly, the staff has its eye on whether and when companies are completing the transition to COSO 2013. In this speech, the SEC’s Chief Accountant, Paul Beswick, said:

“SEC staff plans to monitor the transition for issuers using the 1992 framework to evaluate whether and if any staff or Commission actions become necessary or appropriate at some point in the future.”

It appears, however, that the staff is taking a relatively low key approach at the moment. For example, during a panel discussion last week at PLI’s Annual Institute on Securities Regulation in New York, Mark Kronforst, Chief Accountant and Associate Director of the Division of Corporation Finance, said “there will be no campaign to determine the status of COSO” after December 15, 2014.

Nevertheless, as the 2014 Management’s Reports are filed in the spring, it seems logical to think that continuing references to old COSO 1992 as the operative framework will attract the staff’s attention. It is also easy to imagine that the staff would question whether a company is in compliance with the “suitable framework” requirement if it continues to use COSO 1992 long after December 15, 2014.

Potential governance and compliance consequences…

COSO 2013 adds processes that reflect developments in compliance, regulatory, governance and risk management areas that go well beyond ICFR. Therefore, from the legal department’s governance and compliance perspective, failure to timely transition to COSO 2013 could have the following consequences:

• Non-compliance with the SEC’s “suitable framework” standard for Section 404 compliance.
• A staff comment the next time the company’s SEC filings are reviewed.
• Uncertainty as to whether the Section 302 CEO and CFO certifications are accurate.
• Difficulty obtaining independent auditor agreement with management’s assessment of the effectiveness of its internal controls, possibly including unpleasant discussions about deficiency or weakness.
• Issues regarding whether the Audit Committee is properly overseeing ICFR.
• Concerns regarding the effectiveness of the company’s enterprise risk management.
• Negative investor reaction or market reputation issues.

Action Steps…

• Determine the timeline for your company’s transition to COSO 2013.
• Be sure your Disclosure Committee, Audit Committee and Board of Directors are fully informed regarding the company’s transition plan.
• Identify whether COSO 2013 warrants any changes in the company’s enterprise risk management program.