COSO 2013 Framework Adoption

Flash Reports - European Court of Justice Invalidates the EU-US Privacy Shield Framework
COSO 2013 Framework Adoption

March 24, 2015

Implementing the updated Committee of Sponsoring Organizations (COSO) Internal Control – Integrated Framework (Framework) during 2014 was an important endeavor for many public companies in their efforts to comply with Section 404 of the Sarbanes-Oxley Act of 2002 (SOX). As background, the Securities and Exchange Commission (SEC) requires companies to use a “suitable framework” as a basis for evaluating the effectiveness of internal control over financial reporting (ICFR), as required by Section 404. The COSO Framework meets the SEC’s criteria for suitability.  

COSO has indicated that it no longer supports the original version of the Framework released in 1992 and considers it to be superseded for years ended after December 15, 2014, by the updated version of the Framework completed in 2013. Accordingly, it is just a matter of time before all companies use the revised Framework in conjunction with their annual evaluations of ICFR.  

A strong majority of organizations have adopted the revised framework “on time,” with a handful of early adopters leading the way. For almost 1,900 annual reports with fiscal year ends after December 15, 2014, (the date COSO announced its cessation of support of the original 1992 Framework) filed through March 4, 20151, 180 percent had transitioned to COSO 2013. Of the remaining 20 percent:  

  • 75 percent (or 15 percent of the total filings) reported their continued use of the 1992 Framework.  
  • 25 percent (or five percent of the total filings) did not identify the version of the Framework they used.  

It is possible that some of these latter filers may have transitioned to the 2013 Framework and did not disclose they had done so because the transition period had run its course and, therefore, the parenthetical disclosure in the internal control report was considered by these filers to be unnecessary. That said, if any of these filers continued to use the 1992 Framework, their lack of disclosure in their internal control report could pose a concern for the SEC staff. Bottom line, any way the data is cut, we can report that a strong majority of filers have transitioned to the 2013 Framework. As we will report in April in an issue of The Bulletin, for most of these companies the level of effort in consummating the transition was manageable.  

The implications of the “on time” transition rate to companies that still must complete their transition is clear. They need to get on with it. We are confident that the strong majority of companies who have transitioned successfully and their experience in consummating the transition process will ensure that the SEC staff will not provide a “free pass” for year ends after December 15, 2015, except perhaps in the most extreme circumstances.   

1As reported by Audit Analytics® through its internal controls management report and audit report database, available by subscription ( 

Ready to work with us?