The framework used by many public companies to measure internal controls over financial reporting is sunsetting. As of December 15, 2014, the Internal Control – Integrated Framework originally published by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) in 1992 (the "1992 Framework") will be superseded by COSO's updated Internal Control – Integrated Framework published in May 2013 (the "2013 Framework").
Despite a 19-month transition period, questions remain as to whether and for what time period companies may continue to utilize the 1992 Framework after December 15, 2014. The Securities and Exchange Commission has not issued its own guidance regarding the transition, but Commission staff members have indicated that the "staff plans to monitor the transition for issuers using the 1992 [F]ramework to evaluate whether and if any staff or Commission actions become necessary or appropriate."
The 1992 Framework was widely used by management to evaluate internal controls, as required by Rule 13a-15 under the Securities Exchange Act of 1934. While its usage was not mandatory, the 1992 Framework was considered a "suitable, recognized control framework" as required by Rule 13a-15. The 2013 Framework was published to clarify current effective internal control and to take into account changes in the business environment since 1992, including enhanced risk oversight and operations and technology trends. The effort and cost necessary for transition to the 2013 Framework will vary depending on company-specific factors, such as company size and the current controls and processes in place.
Companies that report on a calendar-year basis have been encouraged to transition by the end of 2014. On the other hand, companies with non-December 31 fiscal year ends have considered continuing to utilize the 1992 Framework through the first reporting period ending after December 15, 2014. Non-calendar year-end companies may hope to derive a benefit from "waiting and seeing" what earlier filers do and experience in transitioning (or not transitioning) to the new framework. However, the "wait and see" benefit may be outweighed by (i) the inability to change course prior to filing and (ii) the risk of Commission action as a consequence of delayed compliance. Additionally, a company's external auditors may challenge the continued use of the 1992 Framework after December 15, 2014.
Companies should disclose in their reports on internal controls which COSO framework has been utilized. Any implementation or compliance delays regarding the 2013 Framework and any changes to internal controls as part of the implementation should also be disclosed. Thus, certifying officers (i.e., the CEO and CFO) and audit committees must understand the transition and its implications.
If you have questions regarding timing of compliance with the 2013 Framework or the consequences of not transitioning to the new framework, please contact your Baker Donelson attorney or a member of our Securities and Corporate Governance Group.