AICPA, SEC Discuss COSO Transition

by Edith Orenstein

While the U.S. Securities and Exchange Commission has yet to give industry a deadline to switch to a new internal control framework, auditors should question their clients’ “tone at the top” if they haven’t switched yet, an AICPA official said last week.

“If organizations have not transitioned — and not for good sound business reasons — I would think about whether or not that impacts my assessment of controls in tone at top,” said AICPA vice president and COSO Board Member Chuck Landes, at the AICPA’s Annual Conference on Current SEC Developments last week.”If somebody is just blowing off making that transition, that is some evidence that tone at the top is not where it should be and is not tone that would support an effective system of internal control.”

No SEC ‘Deadline’   Yet, But …

At the event practitioners and regulators discussed the transition to the Committee of Sponsoring Organizations of the Treadway Commission’s (COSO’s)  updated internal control framework published in 2013 (“COSO 2013”).

Officials speaking at the conference responded to questions about whether there was an SEC “deadline” for companies and their auditors to switch from the 1992 COSO framework to COSO 2013.

"We have not yet set a particular deadline,” SEC Deputy Chief Accountant Brian Croteau told attendees. However, if the switch to COSO 2013 is not accomplished by the Dec. 15, 2014 transition date, “I would envision you would see comments from Corp Fin,” Croteau explained. He added, “for this year-end, I wouldn't expect you'd see questions from SEC staff.”

Although the SEC may give companies a pass this year on whether they have completed their move to COSO 2013, Landes advised auditors that they should ask questions of their clients and consider the nature of why the client has not yet moved to the new COSO framework.

During his prepared remarks Croteau spoke at length about continuing concerns regarding potential underreporting or misreporting of material weaknesses in internal control over financial reporting (ICFR).

Speaking on a separate panel at the conference, Senior Associate Chief Accountant Kevin Stout devoted his entire remarks to internal control over financial reporting, acknowledging there has been a “recent focus on the impact of immaterial errors on ICFR through the Disclosure Review Program,” but adding  the focus  on ICFR “is not intended to be a ‘gotcha’ exercise.”

One of the most talked about elements of Stout’s speech was what he termed  “the could factor.”

Specifically, Stout suggested companies consider how  an internal control weakness relating to an immaterial misstatement could potentially cause a material misstatement  if circumstances were to change. He also said that companies should consider  whether a lack of resources or other control environment factors leading to an ‘immaterial’ misstatement could raise questions about “what other amounts or disclosures could be impacted by the lack of resources and how the Control Environment and Risk Assessment components of COSO had been evaluated.”

Mike Maloney, Chief Accountant in the SEC’s Division of Enforcement, emphasized the importance of ICFR as well.  “The risk of weak or nonexistent internal controls can be very impactful,” Maloney noted,  imploring preparers, auditors and audit committees to “stay very vigilant” in addressing ICFR weaknesses.

Some Opt to Adopt in 2015; 'Switching Back' Raises Questions

Without a mandate from the SEC to transition to COSO 2013 this year -- and with the 1992 COSO framework still a recognized framework for purposes of Sarbanes-Oxley assertions -- some companies are opting to fully adopt the new COSO framework in 2015 opening up the questionof what the “effective date” for regulatory purposes

“We’ve received emails and letters asking COSO to extend the effective date,” Landes said. “We have no authority, we are not standard-setters; it isn’t something within our power to extend the effective date.”

As noted in a widely cited speech earlier this year by PCAOB Board Member Jeanette Franzel, companies are being strongly encouraged to use the opportunity of implementing COSO 2013 as more than just a 'checklist' exercise, but also to look for areas where controls could be improved.

As a practical matter, many companies may be running COSO 2013 and COSO 1992 on parallel tracks as part of the transition process, until they are satisfied they are ready to switch.

"Some have asked if they switch to COSO 2013, and find a material weakness, can they switch back?" SEC’s Croteau said. "It would be surprising to me if you found a material weakness under the new COSO framework that wasn't (there) under the old."

Landes agreed, saying, "Anecdotally, we’ve heard some people say ‘well, I’m not sure I can pass under the 2013 framework. If you can’t pass under [the] 2013 [framework], I’m not sure how you could under '92."

Other Audit Considerations

PwC Partner Stephen Soske,  speaking on the same AICPA panel,  aid that his firm is strongly recommending that clients use the updated framework for periods ending after Dec. 15, 2014.

However, he added, "Some companies, because of sound business reasons, have decided to adopt [the 2013 framework] in the future," Soske said. "We would respect that. We would follow our client's leads,”

Soske added that, in accordance with PCAOB rulemaking, the auditor would apply the same generally accepted control framework that management does.

Additional insights from the COSO panel at last week’s AICPA conference can be found in: COSO Internal Control Patrol Says Mind Your ELCs, POFs, OSPs.

COSO Chairman Robert (Bob) Hirth is slated to speak on a December 16 webcast sponsored by FEI and BlackLine Systems.. Hear what Hirth has to say on the day after COSO's December 15 'transition' date, along with insights from Grant Thornton Partner Mike Rose and BlackLine System's Susan Parcells.