The transition from the 1992 framework to the 2013 framework takes preparation, analysis and testing…and time. Every organization will be different depending on the level of complexity in the business, management’s consistency in interpreting and intentions with the 1992 framework, and the overall changes in the business’ operations. The December 15, 2014, deadline past and for those that procrastinated or didn’t update their documentation, here are some guidelines:
Information is Key. Taking time to review the 2013 framework including the related documents and appendixes is important. This should be a priority of those responsible for the SOX 404 compliance, regardless of whether there is an attestation or not. The ICEFR Compendium will provide great insight with practical examples on the 17 principles and how they may be applied to internal control. Then, inform your executive and operational teams on how the 2013 framework applies to objectives beyond external financial reporting.
Educate your Board. Share the Executive Summary document with your board of directors to provide them a board level education on the 2013 Framework. Discuss the expectation of providing support and active governance oversight over the internal control system. Further share the company’s plan to adopt the 2013 framework to assure board support.
Preparation, Analysis, Adoption and Testing. Corporate management should assess how the 2013 framework’s 17 principles will be incorporated. The overall impact and resources needed to adopt the new Framework will need to be analyzed. You can begin the analysis by concurrently mapping controls to the 2013 Framework while performing the 2013 assessment of internal controls for purposes of SOX 404 (under the 1992 Framework).
- Transition and Revision. After evaluating the results of the impact analysis, senior management should develop a plan to revise current controls design and/or documentation to fully incorporate the 17 principles (as needed) and test the functioning of any additional controls implemented or formalized as a result of the new framework. Where a principle is identified as not being adequately addressed by the current system of internal control, changes to the current internal controls should be made to ensure the principle is adequately addressed.
- Testing and Reporting. Following the transition plan, management will need to ensure the revised internal control system is functioning properly and allow time for correction. Testing a control multiple times helps determine if the control is functioning properly. Be sure to build in additional time for revising, if needed, after testing.
Because the SEC has stated that they will likely ask questions to those companies who continue to use the old framework beyond the transition date, it is best to consider your company’s risk at not migrating to the 2013 Framework. Although the framework set forth by COSO is not mandatory, it is being widely adopted by companies in their internal control over financial reporting compliance relating to Sarbanes-Oxley (SOX).
If you have questions on your company’s transition from 1992 to 2013 Framework, let us know. We are here to assist you in any of the areas you need. Our goal is to make this process as painless as possible for you.
For more information on the COSO 2013 Framework and your company’s adoption, contact Paul Demastus, Partner, LBMC Accounting and Assurance Services. firstname.lastname@example.org; 615.309.2229. LBMC is a top 50 U.S. Accounting Firm, as ranked by Accounting Today.