This is the fourth of our deeper dives in the topics we discussed in our Second Annual Form 10-K Tune-up One-hour Briefing on January 7. (This One-Hour Briefing will be available on-demand soon.)
The topics for this post are:
The COSO framework, and
Internal Control Over Financial Reporting.
COSO
The easier of these two topics to discuss, although it presents some very gray issues, is the 2013 revision of the COSO framework. If you have not yet adopted the updated framework, what are the implications in your SEC reporting?
The SEC has not made any bright-line statements or mandates about this transition. And, in fact, many companies have not yet adopted the framework.
In December of 2013, Paul Beswick, The SEC’s Chief Accountant at that time, said in a speech:
“SEC staff plans to monitor the transition for issuers using the 1992 framework to evaluate whether and if any staff or Commission actions become necessary or appropriate at some point in the future. However, at this time, I’ll simply refer users of the COSO framework to the statements COSO has made about their new framework and their thoughts about transition.”
In addition to this cautionary language, the SEC Staff also discussed this issue at a meeting of the Center For Audit Quality’s SEC Regulations Committee. Here is that section of the minutes:
Ms. Shah stated that the staff is currently referring users of the COSO 1992 framework to the following statements made on the COSO web site:
“COSO believes that users should transition their applications and related documentation to the updated Framework as soon as is feasible under their particular circumstances. As previously announced, COSO will continue to make available its original Framework during the transition period extending to December 15, 2014, after which time COSO will consider it as superseded by the 2013 edition. During the transition period (May 14, 2013 to December 15, 2014) the COSO Board believes that organizations reporting externally should clearly disclose whether the original Framework or the updated Framework was utilized.”
Exchange Act Rule 13a-15(c) requires management’s evaluation of the effectiveness of internal control over financial reporting to be based on a framework that is “a suitable, recognized control framework that is established by a body or group that has followed due-process procedures…” In Release 33-8328, the SEC stated that ” [t]he COSO Framework satisfies our criteria and may be used as an evaluation framework for purposes of management’s annual internal control evaluation and disclosure requirements.”
The staff indicated that the longer issuers continue to use the 1992 framework, the more likely they are to receive questions from the staff about whether the issuer’s use of the 1992 framework satisfies the SEC’s requirement to use a suitable, recognized framework (particularly after December 15, 2014 when COSO will consider the 1992 framework to have been superseded by the 2013 framework).
Clearly there is no hard and fast rule about when to transition, but if a company were to use the old framework much longer, questions about the suitability of the old framework increase in importance. Issues such as what kinds of problems that the new framework might identify that the old framework could miss, (where are there gaps in other words) would need to be addressed.
As a last note, this blog post from the WSJ reports that 73% of 10-K filers for 2014 adopted the new framework:
blogs.wsj.com/riskandcompliance/2015/04/29/the-morning-risk-report-companies-adopting-updated-coso-framework-newsletter-draft/
ICFR
Since its inception the SOX 404 processes used to assess the effectiveness of internal control over financial reporting by management and external auditors have been evolving. In the last few years there have been a number of developments and companies, auditors and regulators have all been raising questions about the process. Some observers have even called this period a “perfect storm” of ICFR evaluation issues.
So, what is behind the perfect storm? Here are a few of the underlying sources of this ongoing issue.
The SEC has asked some challenging questions, including “Where are all the material weaknesses?” In this speech, Deputy Chief Accountant Brian Croteau addresses for the second year in a row how most restatements are not preceded by a material weakness disclosure, raising the question about whether managements’ assessments and external audits are appropriately identifying material weaknesses:
www.sec.gov/News/Speech/Detail/Speech/1370543616539
The PCAOB in their inspection reports have found what they believe to be a significant number of issues in ICFR audits. In the Overall Findings section of their first report on ICFR inspections the Board reported:
In 46 of the 309 integrated audit engagements (15 percent) that were inspected in 2010, Inspections staff found that the firm, at the time it issued its audit report, had failed to obtain sufficient audit evidence to support its audit opinion on the effectiveness of internal control due to one or more deficiencies identified by the Inspections staff. In 39 of those 46 engagements (85 percent) where the firm did not have sufficient evidence to support the internal control opinion, representing 13 percent of the 309 integrated audit engagements that were inspected, the firm also failed to obtain sufficient audit evidence to support the financial statement audit opinion.
Since this report the PCAOB has summarized issues they have found in ICFR audits in other documents, including Staff Audit Practice Alert No. 11: Considerations for Audits of Internal Control Over Financial Reporting. You can find the alert at:
pcaobus.org/Standards/QandA/10-24-2013_SAPA_11.pdf
The issues addressed in the Alert are very similar to those addressed in the summary inspection report and include:
Risk assessment and the audit of internal control
Selecting controls to test
Testing management review controls
Information technology (“IT”) considerations, including system- generated data and reports
Roll-forward of controls tested at an interim date
Using the work of others
Evaluating identified control deficiencies
In particular, testing management review controls and relying on system-generated data have been common and particularly difficult challenges to deal with in the ICFR process. This combination of challenging areas to deal with and questions about identifying and reporting all material weaknesses in ICFR will likely continue to make this a difficult area in future years.
As always, your thoughts and comments are welcome.
The whole briefing is now available on-demand with CPE and CLE credit at:
www.pli.edu/Content/OnDemand/Second_Annual_Form_10_K_Tune_Up/_/N-4nZ1z116ku?fromsearch=false&ID=278540