Last week, I posted a piece regarding the “squishy” deadline  (to borrow the term of art coined by the COSO Chair) for implementation of the new 2013 COSO internal control framework. As you may recall, the original 1992 COSO internal control framework is deemed by COSO to be “superseded” as of December 15, 2014.  However, because COSO has no regulatory enforcement authority, there has been some question about how rigid that timeframe really is.  Since that post, as discussed in this post by Randi Morrison on thecorporatecounsel.net’s Mentor Blog, Deloitte has issued a “Heads Up — Challenges and leading practices related to implementing COSO’s ‘Internal Control — Integrated Framework,’” which further elucidates Deloitte’s views on the timing of implementation.

Deloitte believes that “most companies” are moving forward toward adoption this year: “These companies have their gap assessment under way right now, with a target to have the gap assessment and initial testing of ICFR completed by the end of the third quarter. This leaves the fourth quarter for remediation of internal control gaps and retesting. This timing helps ensure an efficient and effective ICFR attestation process for management at year-end.” Nevertheless, Deloitte has “observed some instances in which companies have decided to continue to apply the 1992 Framework for the current calendar year. Their decisions were generally based on consultations with a number of stakeholders, including the board, audit committee, and internal and external auditors.”

In either case, Deloitte advises that companies “clearly disclose in their annual assessment of ICFR whether they used the 1992 Framework or the 2013 Framework.”  In addition, Deloitte points out that AS5 requires the auditor to use the “same suitable, recognized control framework to perform his or her audit of internal control over financial reporting as management uses for its annual evaluation of the effectiveness of the company’s internal control over financial reporting.” Consequently, Deloitte notes, if the company relies on the 1992 framework, the auditor’s report on ICFR will also disclose reliance on the 1992 framework.

The Deloitte article includes an excellent summary, for each of the 17 principles in the 2013 framework, of common implementation challenges companies have faced and leading internal control practices.

In my earlier post, I noted that the SEC has not clearly addressed the question of whether a framework that is past its sell-by date is still considered “suitable” and “recognized.” While KPMG advises in the cited Compliance Week article that companies should not expect the SEC staff to challenge use of the 1992 framework in the near term, the staff has previously said that, while they deferred to COSO’s own remarks regarding timing of the transition, “the longer issuers continue to use the 1992 framework, the more likely they are to receive questions from the staff about whether the issuer’s use of the 1992 framework satisfies the SEC’s requirement for a suitable, recognized framework,” especially after December 15, 2014. Accordingly, depending on the timing, it’s possible that issuers electing not to transition to the 2013 framework may face comments from the SEC staff asking for justification of the use of the 1992 framework.