Since the enactment of the Foreign Corrupt Practices Act in 1977, federal laws have required public companies to maintain sufficient "internal accounting controls." The Sarbanes-Oxley Act of 2002 (the "Act") further requires company management to annually assess and report on the effectiveness of internal control over financial reporting ("ICFR"). For larger registrants, the Act also requires independent auditors to attest to management's assessment of the effectiveness of the company's internal control.
The original Internal Control - Integrated Framework ("original Framework"), published in 1992 by the Committee of Sponsoring Organizations of the Treadway Commission ("COSO"), remains fundamentally sound. It is broadly accepted in the marketplace and with regulators, for designing, implementing, and conducting systems of internal control and assessing their effectiveness. Nearly all U.S. public companies have relied on the original Framework to comply with internal control reporting requirements under Sarbanes-Oxley.
Recognizing that there have been many changes in business and operating environments since 1992, the COSO Board decided to update the original Framework.
COSO's new Internal Control - Integrated Framework ("updated Framework"), first reported on in our December issue of SEC Impact, was issued in May 2013. COSO has also issued Illustrative Tools for Assessing Effectiveness of a System of Internal Control and the Internal Control over External Financial Reporting (ICEFR): A Compendium of Approaches and Examples. The Illustrative Tools are expected to assist users when assessing whether a system of internal control meets the requirements set forth in the updated Framework. The ICEFR Compendium is particularly relevant to those who prepare financial statements for external purposes based upon requirements set forth in the updated Framework. The updated Framework and ICEFR Compendium are available at http://www.coso.org/IC.htm.
The COSO Board recognized the fact that business and operating environments have changed dramatically since the original Framework was published over twenty years ago. They have become more complex, technologically driven and global in scale. COSO has reflected these changes in its updated Framework by including consideration of, for example:
- expectations for governance oversight,
- globalization of markets and operations,
- changes and greater complexities in business,
- demands and complexities in laws, rules, regulations, and standards,
- expectations for competencies and accountabilities,
- use of, and reliance on, evolving technologies, and
- expectations relating to preventing and detecting fraud.
The 1992 Framework will be superseded by the updated Framework after December 15, 2014. The SEC has suggested on a number of occasions that it expects companies to begin transitioning to the newly updated COSO framework for internal control now if they are currently relying on the original Framework. During the transition period-today through December 15, 2014-continued use of the 1992 Framework is acceptable, but management must disclose in the internal control report, which of the two frameworks it has used as criteria for evaluating the effectiveness of ICFR. During the transition period, this may be done by placing a parenthetical reference-either "(1992)" or "(2013)" -after "Internal Control - Integrated Framework."
A recently released summary of a meeting between SEC staff members and the Center for Audit Quality's SEC Regulations Committee states that: "The staff indicated that the longer issuers continue to use the 1992 framework, the more likely they are to receive questions from the staff about whether the issuer's use of the 1992 framework satisfies the SEC's requirement for a suitable, recognized framework," especially after the December 15, 2014, transition date.
Businesses and regulatory environments evolve over time, and leading companies ensure that their internal control systems keep up with those changes. The release of the updated Framework provides the perfect opportunity for companies to take a fresh look at the effectiveness of their internal control systems in mitigating risks to the achievement of their "must-achieve" financial, operational and compliance objectives, especially for those companies experiencing, for example:
- rapid growth, restructurings, expansion into new markets or products,
- increasing regulatory oversight and scrutiny,
- business failures, reputation and brand-damaging events,
- increasing scrutiny from stakeholders demanding greater transparency and expanded reporting,
- increasing reliance on technology, and
- increasing utilization of, and reliance on, third party service providers.
At the 2013 AICPA National Conference on Current SEC and PCAOB Developments, SEC representatives discussed, and stressed, management's responsibility to maintain and appropriately assess ICFR. SEC staff members noted that they will question registrants about management's annual assessment of ICFR and quarterly disclosures of material changes in ICFR if disclosures elsewhere in the registrant's SEC filings indicate potential material weaknesses in ICFR. Paul Beswick, SEC Chief Accountant, said financial reporting has improved as a result of an increased focus on internal controls following the Sarbanes-Oxley Act of 2002. He said maintaining and evaluating ICFR are ongoing activities, and he urged preparers to remain focused and to not give ground.
Companies that have not yet transitioned from the 1992 Framework should familiarize themselves with the updated Framework and formulate a transition plan. The Internal Control - Integrated Framework (2013) and Illustrated Tools are available at http://www.coso.org/ic.htm.
Other useful guidance for registrants on maintaining effective internal control is available from the following sources:
Maintaining effective internal control is the law. For prudent companies that focus on achieving their business objectives and protecting their reputation and brand, it has long been considered good business, too.
If you have any questions about the content of this article, please contact Friedman LLP Partner Kevin Hyams at firstname.lastname@example.org or contact your engagement partner.