Risk Management

Corporates Not Yet Ready for Internal-Controls Prime Time

Most firms seem to be putting off implementation of the new COSO framework until next year.
Kathy HoffelderAugust 20, 2013

Most companies aren’t ready yet to comply with the new framework for internal controls put out by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) in May, according to participants in an accounting webcast aired today. 

But companies should be ready to comply by the end of 2014, some said. The new framework is essentially a 1992 document that’s been updated to adapt to the business needs of today. The updated version will supersede the old one on December 15, 2014.

Understanding how much time it takes to comply with the framework is important–not only for those directly involved in its implementation, experts advised, noting that top management must grasp it, too. 

Drive Business Strategy and Growth

Drive Business Strategy and Growth

Learn how NetSuite Financial Management allows you to quickly and easily model what-if scenarios and generate reports.

Participants on the American Institute of CPA s’ COSO Web cast said that only the most forward-thinking companies are using the new framework. COSO encourages corporations to transition to the updated framework as soon as possible.

“I haven’t heard any board or executive pressure saying we must adopt in 2013,” said Bill Schneider, director of accounting at AT&T, speaking about the implications for companies on the call today. But he did note that a more proactive approach to the new framework could help ward off any unforeseen surprises.

It could also help a corporation remain competitive with its peer group. Companies, he said, do not want to be the last ones in an industry to adopt. Senior executives, he said, should ask themselves, “are other companies in my industry adopting?”  

If the key players in an industry are all adopting on the early side and one company is not, then a company might get asked questions. “If the industry is saying we’ll adopt in 2014, then you’re probably safer,” he said, noting that kind of questioning is important to make sure a company is not an outlier.

The original COSO framework has been adopted by most companies subject to the Sarbanes-Oxley Act, which governs public issuers. Compliance with the framework enables them to assess and improve their internal controls, enterprise risk management and fraud deterrence.

Participants on today’s webcast noted, however, that the framework is not just for financial reporting purposes but for non-financial reporting as well. The new version is helpful, they say, for firms reporting on such things as sustainability and consumer activity.  

“When we started our original SOX compliance journey back in 2003, a lot of the focus was on control activities. For months, it was all about identifying and documenting the design of our transactional controls. That’s just one layer, however, one component of internal control,” said J. Stephen McNally, director of finance at Campbell Soup. But COSO’s internal control framework is more holistic, he said, noting the framework can be applied to a specific division, operating unit or function as well as at an overall entity level.

The new framework adds 17 explicit principles to the old one aimed at helping firms articulate their risk assessment, control environment, control activities, information and communication and monitoring activities.

More formal consequences in switching late to the new framework could be in the cards. A KPMG comment paper in July noted that the Securities and Exchange Commission plans to monitor the transition to the new framework to see if any staff or commission actions are necessary.