In May 2013, the Committee of Sponsoring Organizations (“COSO”) released its enhanced framework for internal control over financial reporting (“2013 Framework”). The 2013 Framework was initiated due to the changing world of reporting as a result of the growing use of technology, a more global business environment, and greater expectations from shareholders and investors since the previous framework released in 1992 (“1992 Framework”).
The 2013 Framework is essentially not new- it is “evolutionary, not revolutionary”. After 20 years of developments in company controls and technology, the updated framework gives companies increased guidance and tools and compels them to revisit controls that may be outdated or require strengthening. The definition of internal control and overall structure remains unchanged, but management must now report on the 17 principles codified to support the five components of internal control. These principles have always been embedded in the original framework, but are now specifically identified in the 2013 Framework. In addition, there are 77 points of focus within these principles to help management assess its company’s internal controls. Not all of the points are likely to be relevant to a company.
On December 15, 2014, COSO discontinued its support of the 1992 Framework. At the AICPA year-end SEC and PCAOB Conference in Washington D.C. (“Conference”), the SEC Division of Corporate Finance indicated that there is no specific date that companies are required to switch to the 2013 Framework, although it is strongly recommended to do so as soon as feasible. Continuous use of the old framework will lead to a greater chance of receiving questions from the SEC and will give the overall impression that the company is not investing sufficient resources into updating its internal controls and documentation and that it is reporting under an appropriate framework. Annual filings must disclose which framework is used. Registrants are required to report changes to internal control quarterly.
The impact of the change to the new framework is not likely to come from activity-level control activities, but rather from indirect entity-level controls; these are the soft components of internal control, such as tone at the top and ethics.
One of the most revealing comments from the SEC Deputy Chief Accountant at the December SEC Update, expressed the infrequency of reporting material weaknesses. He also indicated that it is surprisingly rare to see a material weakness disclosed without a corresponding material misstatement and suggested this might indicate that deficiencies are not being identified or evaluated appropriately. This may not come as a surprise as many companies try to downplay their deficiencies to not make themselves look bad. The new framework is hoped to encourage companies to make better evaluations of their control deficiencies through the use of these principles and points of focus.
In general, companies make adjustments or report deficiencies when issues are either material to the financial statements or sensitive to disclosure. The SEC staff at the Conference recommended that companies also weigh a deficiency in light of future circumstances. In other words, an item could be immaterial in the current period due to a low dollar amount or activity, but had the same deficiency gone undetected in the future when volume may be greater, consideration for disclosure should be made in the current period and the deficiency should immediately be rectified. The SEC staff refers to these situations as the “could factor”.
The SEC staff also pointed out that there has been a great rise in restatements related to the statement of cash flows; many of the restatements were basic mistakes. It is easy for preparers of the statement to become complacent and follow quarterly routine and not put thought into new or non-recurring transactions. The elements of the 2013 Framework would expect management to re-evaluate the financial reporting process and focus on entity-level controls surrounding the statement’s preparation, such as the manner and timing that staff receive information, the technical competency of those preparing the statement and proper monitoring of the process. The Staff also believes that companies need to evaluate internal control over financial reporting surrounding significant estimates and non-recurring items.
Early adopters of the 2013 Framework are finding that their existing internal controls are mapping well to the principles contained in the updated framework. They maintained that they need to bring more controls into the scope of their internal control evaluation. Entity-level controls vary in nature and precision and could have an effect on the likelihood that a misstatement will be prevented or detected timely.
Kim Lowney, Director, Assurance Services contributed to this article.