Some Companies Unsure About This New COSO Internal Control Framework

Some dates are not set in stone, like the day of the week I decide to clean the cat fountain or change my sheets. Others, like the day I need to pay my rent and the fiscal year-end on or after December 15, 2014 are not so variable.

When it comes to COSO's new 2013 Internal Control – Integrated Framework, some companies are taking the procrastinating approach, according to a survey by Protiviti:

Companies are getting started, albeit slowly, with implementing the new COSO framework – A somewhat surprising number of organizations have yet to begin work in earnest on gaining a clear understanding of and implementing COSO’s new Internal Control – Integrated Framework. Organizations need to get this process going sooner rather than later so that they can understand what precisely will be involved in transitioning to the updated framework and how to undertake the transition process successfully.

What exactly do they mean by a "somewhat surprising number?"

61% of respondents are on this, and 19% are like "forget it" but it's that 20% we're worried about. How can you be unsure? It's COSO, not what are you going to have for lunch.

Last year, the SEC said "the longer issuers continue to use the 1992 framework, the more likely they are to receive questions from the staff about whether the issuer's use of the 1992 framework satisfies the SEC's requirement for a suitable, recognized framework," especially after the December 15, 2014 transition date. That's regulator code for "seriously, people, get on this."

Interestingly enough (or perhaps not given dismal audit failure rates across the board and hints from the PCAOB that audit firms still have a long way to go to please their audit overlords), survey respondents are more concerned with the PCAOB breathing down their necks than COSO right now:

There is measurable fallout from the PCAOB’s inspection reports – External auditors are making notable changes to their auditing processes – including with respect to addressing various IT considerations, requiring more precision and testing of management reviews of controls, and evaluating identified control deficiencies – that are driving up efforts and overall costs for organizations.

Compliance costs are going up but are still manageable for many – The PCAOB’s inspection reports are affecting compliance costs for companies: Nearly half of the organizations responding to our survey report these costs are rising, with 41 percent noting increases of 20 percent or more – a big year-over-year jump in our study. Yet 61 percent of organizations still spend $500,000 or less annually on SOX compliance.

Audit fees are expected to rise, with 62% of organizations that expect a fee increase preparing for an increase of 10% or more. As Protiviti points out, it is difficult to know how much of that is COSO and how much of that is increased PCAOB scrutiny.

From FEI:

Keith Kawashima, managing director in Protiviti’s Silicon Valley office, said that he has heard of companies spending time mapping their existing control framework to the COSO 2013 framework, in the neighborhood of “100, 250, 300 hours.”

The net impact this year on external auditor’s fees, according to Kawashima, may be “negligible,” after taking into account “there may be a little bit of offset” from the fact that auditors have already implemented changes that many ascribed to the PCAOB’s inspection process, which were believed to have increased audit fees last year, including as relate to “the level of precision of controls.”

See the full survey here.

Related articles