COSO has developed frameworks for firms to improve their internal controls with the objective of reducing fraud and managing enterprise risk. The frameworks are widely used by firms and their auditors to comply with the internal control requirements of the Sarbanes-Oxley Act (SOX). We investigate two issues involving the most recent COSO internal control framework (COSO 2013): the determinants of a firm's decision to adopt it in a timely manner; and the consequences of adoption on internal controls. In our sample, firms that report internal control problems under SOX 404, especially firms with information technology (IT) problems, are likely to be late adopters. Regarding the consequences of adoption, for late adopters, we find that firms using the revised COSO framework have a lower probability of reporting weaknesses in IT-related controls. We also find evidence that COSO 2013 adoption is helpful in remediating internal control weaknesses.
Data Availability: Data are available from the public sources cited in the text.