The Committee of Sponsoring Organizations of the Treadway Commission, also known as COSO, plans to release the updated version of its Internal Control–Integrated Framework in the first quarter of 2013, instead of the fall of 2012.
The framework is expected to help organizations adapt to the increasing complexity and pace of change, mitigate risks to the achievement of objectives, and provide reliable information to support sound decision making. This will be the first update of the framework since 1992 and will take into account new factors, such as the Web and mobile technology.
The public comment period officially ended on March 31, and the COSO board of directors and its advisory council have been considering the many comments they have received to date on the draft version of the framework.
“We got about 100 comment letters, and the comments are very thoughtful,” said COSO chairman David Landsittel in an interview. “The stakeholders that provided those comments obviously did a good job in thoroughly thinking through what they wanted to express. We don’t want to be under pressure in terms of rushing to judgment as to how we address those comments. We looked at our timetable and we concluded we could and should push back the target date for issuance to the first quarter of 2013.”
Another reason for the delay, he explained, was that several stakeholders were concerned about the original target issuance date of late 2012. They asked whether they would need to immediately transition into using the new framework for their 2012 reporting for public companies under Sarbanes-Oxley.
“Our intent would be never to presume that instantaneous transition is required, but we thought that going back to the first quarter of 2013 takes the pressure off that issue,” said Landsittel. “That gives people more time who are on a calendar-year company basis.”
Landsittel noted that with the new framework, the definition would not change, and neither would the five components of the framework that make up an adequate system of internal control. “We have developed a series of principles that put more structure as to what it means to comply with each of the five components,” said Landsittel. “We think that principle-based structure, which we [already] used in guidance we issued in 2006 to smaller companies, will ensure the understandability and the adequacy of how those that use the framework address each of the components and, importantly, help with the efficiency of how they deal with the components as well.”
COSO now has 17 principles that help put structure around the components that make up the framework. The original framework was issued in 1992, and Landsittel noted that there have been many changes in technology such as increased use of the Internet and mobile devices, along with more use of governance and business structures such as joint ventures and outsourcing, which the updated framework will reflect. The Sarbanes-Oxley Act of 2002 has been another major change, with the Section 404 provisions requiring audits of internal controls.
“We wanted to stress more the applicability of the framework to compliance objectives and operational objectives as well as financial reporting objectives,” said Landsittel. “The visibility of the use of the framework is most pronounced in its use by those who are required to report on the effectiveness of their internal controls under SOX 404. That deals with the financial reporting objectives, but we wanted to emphasize more the applicability of the framework more as it relates to compliance objectives and operational objectives that an enterprise has in order to assure its success.”
Landsittel said that COSO is considering all of the comment letters it has received. Even though the comment period has officially closed, the organization will still be accepting comments, and it may offer another comment period before the framework is finalized. Once the new framework is unveiled early next year, there will not be a requirement for companies to transition right away as COSO is not a true standard-setter that can set requirements.
“Our goal is for the new framework to be an improved one,” said Landsittel. “Our view is that those who apply COSO will want to update their analysis as soon as possible, but we continue to believe the ’92 framework is fundamentally sound and it’s been broadly accepted. We anticipate that some enterprises will want to continue to use the ’92 framework. We’re not a standard setter, and we can’t require when you need to update the framework. We will make the original 1992 framework available in the marketplace until the transition is substantially complete. For those that are impacted from a regulatory standpoint by SOX 404, after the framework is issued, we advise that they look to the regulators on the transition.”
He noted that the stakeholders affected by SOX 404 should monitor the possibility that organizations such as the Securities and Exchange Commission and the Public Company Accounting Oversight Board might issue guidance once the new framework is released.
