INTERNAL CONTROL 2006:
THE NEXT WAVE OF CERTIFICATION
Guidance for Management
James L. Goodfellow and Alan D. Willis
INTERNAL CONTROL 2006:
THE NEXT WAVE OF CERTIFICATION
Guidance for Management
James L. Goodfellow and Alan D. Willis
Copyright © 2006
The Canadian Institue
of Chartered Accountants
277 Wellington Street West
Toronto, Canada
M5V 3H2
www.rmgb.ca
Disponible en français
Printed in Canada
TOC
Table of Contents
Preface
v
A. Introduction
1
B. The Four Phases of Certification
5
C. Relationship between ICFR and DC&P
7
Key Messages
D. ICFR and Stages in Business Growth
Key Messages
E. Developing an Approach for Certifying the Design of ICFR
Overall considerations
9
11
13
15
15
Using a control framework.
16
Preventive and detective controls.
16
Entity wide controls and process level controls.
16
Alignment with sub-certification processes.
17
Process for certifying the design of ICFR
18
F. Certification Process:Preparation Stage
19
1. Review relevant control information
19
2. Identify relevant control “systems”and material account balances 20
3. Identify major financial reporting risks
21
Key Message
22
G. Certification Process:Assessment Stage
4. Assess the quality of the control environment
iii
23
23
Board responsibilities
24
Code of conduct
24
Whistle-blowing policy
25
Internal Control 2006: The Next Wave of Certification — Guidance for Management
Compensation practices
25
Management’s philosophy and operating style
25
Board influence over the control environment
in venture issuers
26
Key Messages
27
5. Assess the design of other entity level controls
Key Messages
6. Assess process level controls
Key Messages
H. Certification Process:Conclusions and Disclosure Stage
27
31
32
35
37
a. Review findings from assessments of ICFR design
37
b. Disclosure considerations and decisions
39
i. Categories of ICFR design weaknesses
39
ii. Materiality
39
iii. A decision tree on disclosure of material weaknesses
40
iv. Investigating the impact of ICFR design weaknesses
41
c. Disclosure examples
42
d. Deciding on disclosure of changes in ICFR
43
e. Uncorrected material weaknesses in ICFR
44
f. Issues for small companies
44
Key Messages
45
I. The Role of the Audit Committee and External Auditors
47
The responsibilities of the audit committee and board of directors 47
The responsibilities of the external auditor
48
Communication with the audit committee
50
Additional help from the external auditors
50
Key Messages
51
J. Readiness for the Fourth Phase of Certification
53
Appendix 1: Diagram illustrating the four phases of CEO/CFO
certification and the annual certificate required in 2006
55
Appendix 2: MI 52-109 Definitions of Disclosure Controls and
Procedures and Internal Control Over Financial Reporting
57
Appendix 3: Where to Find More Information
iv
Table of Contents
59
Preface
Preface
Risk Management and
Governance Board
Thomas Peddie, FCA, Chair
Dan Cornacchia, FCA
Brian Ferguson CA
John Fraser, CA
Michael Harris, CA
Andrew J. MacDougall, LLB
Peter W Roberts, CA, CPA
(Illinois)
Josee Santoni, CA
Directors Advisory Group
Giles Meikle, FCA, Chair
James Arnett, QC
William Dimma, F.ICD, ICD.D
John Ferguson, FCA
Gordon Hall, FSA, ICD.D
Robin Korthals
Mary Mogford, F.ICD, ICD.D
Patrick O’Callaghan
Ronald Osborne, FCA
Guylaine Saucier, CM, FCA
CICA Staff
William Swirsky, FCA
Vice President,
Knowledge Development
Gigi Dawe
Principal,
Risk Management
and Governance
The Risk Management and Governance Board (the RMG Board) of the Canadian Institute of Chartered Accountants commissioned this document to help
CEOs and CFOS to fulfill their responsibilities regarding external financial
reporting, in particular Internal Control over Financial Reporting (ICFR) and
the related CEO and CFO certifications that are effective in 2006.
The Canadian Securities Administrators’ (CSA) Multilateral Instrument
52-109, CEO and CFO Certification, requires CEOs and CFOs to include for
the first time in their 2006 annual certificates statements about the design of
internal control over financial reporting and related MD&A disclosures. This
is in addition to the existing certifications that address disclosure controls and
procedures (DC&P).
This publication, a companion document to Internal Control 2006: The Next
Wave of Certification, Guidance for Directors, provides CEOs and CFOs (and
other management) with a top-down, risk-based process to follow in certifying the design of ICFR, including a methodology for assessing ICFR design
weaknesses and deciding on necessary disclosures.
This guidance combines control principles, concepts and practices derived
from recognized internal control frameworks, guidance and contemporary
literature about ICFR with fresh insights and proposals developed for these
CICA publications. This guidance also complements existing CICA publications about control, risk, corporate governance, disclosure and CFO responsibilities.
The guidance in both publications has been developed for TSX and venture
issuers, since MI 52-109 applies to both. Small cap and venture issuers face
special circumstances and control challenges. These are acknowledged and
addressed to the extent possible at this time.
The RMG Board acknowledges and thanks members of the Directors Advisory Group for their advice, the authors — James L. Goodfellow, FCA, Vice
Chair of Deloitte, and Alan Willis, CA, Alan Willis & Associates — and Hugh
Miller for his editorial reviews and helpful suggestions.
Internal Control 2006: The Next Wave of Certification — Guidance for Management
The authors are responsible for the views expressed in this publication; it does
not represent, amend or replace any professional standard nor does it constitute prescribed minimum requirements. CEOs and CFOs should consult
their professional advisors on any matter about which they seek clarification,
further information or guidance.
Tom Peddie, FCA
Chair, Risk Management and Governance Board
Authors
James L. Goodfellow, FCA
Alan D. Willis, CA
Editor
Hugh Miller
Project Director
Gigi Dawe, Principal, CICA
vi
Preface
Dedication
Dedication
This publication is dedicated to the memory of W.A. (Bill) Bradshaw, FCA
(1928 – 2006) a partner, friend and mentor to the authors. Bill made many
unique contributions to the Canadian accounting profession. Perhaps the
most significant of these was the introduction of multi-disciplinary “systems”
thinking to the topics of governance, risk, control and accountability. His
thoughts and insights have been invaluable to us in all our work, not least in
developing this guidance — a legacy for which we are deeply grateful.
vii
A
Introduction
In their annual certificates for 2006, CEOs and CFOs will have to certify on the
design of internal control over financial reporting. What steps can CEOs and
CFOs take to prepare to make these new certifications? What are the implications of any material weaknesses that are identified during the process?
Background
The Canadian Securities Administrators’ (CSA) Multilateral Instrument 52109, CEO and CFO Certification, requires CEOs and CFOs to certify in their
2006 annual certificates that they are responsible for establishing and maintaining both disclosure controls and procedures (DC&P) and internal control
over financial reporting (ICFR), and that they have “designed such internal
control over financial reporting…to provide reasonable assurance regarding
the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with the issuer’s GAAP.”
The CEO and CFO certificates are also required to state that “any change in
the issuer’s internal control over financial reporting that occurred during the
issuer’s most recent interim period that has materially affected, or is reasonably
likely to materially affect, the issuer’s internal control over financial reporting” is disclosed in the Management’s Discussion & Analysis (MD&A).
The CSA plans to further expand the CEO/CFO certification in the future to
include a certification on the operating effectiveness of ICFR. Separate auditor
attestation about ICFR is no longer expected under Canadian requirements.
In brief, this publication provides an overview of the four phases of CSA’s
certification requirements and the relationship between ICFR and DC&P,
followed by a short discussion of the relevance of the stages in a company’s
growth to the design of ICFR. It proposes a top-down, risk-based process for
CEOs and CFOs to follow in order to assess the design of ICFR and deciding
what internal and external disclosures are necessary to report their findings
and conclusions. The roles of audit committees and external auditors regarding ICFR and related certification are discussed. Finally some conclusions
and issues are presented about readiness for the fourth phase of certification.
Appendix 1 provides a diagram of the four phases of CEO/CFO certification
Internal Control 2006: The Next Wave of Certification — Guidance for Management
and the annual certificate required in 2006. Appendix 2 sets out the CSA definitions of ICFR and DC&P. Appendix 3 shows where to find more information about topics referred to in this publication.
Responsibility for internal control
The CSA’s corporate governance guidelines state that boards should be responsible for the issuer’s internal control and management information systems.
In practice, the board of directors delegates to management the responsibility
for designing and implementing a system of internal control, including those
elements that constitute ICFR.
Internal control is widely taken to mean the processes established by management to provide reasonable assurance about achievement of the organization’s
objectives regarding operations, reporting and compliance. Internal control is
designed to address identified risks that threaten any of those objectives. The
CSA definition of internal control over financial reporting specifies objectives
relevant to financial reporting.
The CEO’s and CFO’s attitudes about and approach to the certification process
send a clear signal to the entire organization. When CEOs make the process a
top priority and provide active leadership to it, the people who prepare financial reports, accounting estimates and financial disclosures will also make
quality financial reporting a priority. Moreover, CEOs and CFOs might view
the relative costs of implementing sound ICFR as outweighing the adverse
impact of rectifying problems after they have become a market issue, not to
mention the effect of damage to the reputations of the enterprise, its directors
and officers.
While this publication is directed primarily to assist CEOs and CFOs, it also
aims to assist other members of management involved in the certification and
reporting process who need guidance on certifying the design of ICFR in time
for the 2006 annual filings. Accordingly we frequently use the term “management” throughout the publication.
Implications for small issuers
Certifying the design of ICFR is no small task, especially for a small company.
Venture issuers are not exempt from the ICFR design certification requirement, yet there are important practical considerations for them to address that
arise from the smaller size of many venture issuers. Corporate governance and
audit committee practices for venture issuers may be less well developed than
those in larger, non-venture issuers, partly reflecting differences in applicable
CSA governance and audit committee requirements. Financial management
functions and staffing may also be more limited in scale and capability in
small cap and venture issues.
These practical considerations for small and venture issuers are acknowledged
and addressed to the extent possible in relevant parts of this document. The
June 2006 US COSO publication Internal Control over Financial Reporting — Guidance for Smaller Public Companies may be of some assistance to
small cap issuers, although “smaller public companies” in the US are often
large compared to “smaller” Canadian public companies.
CSA National Policy 58-201, Corporate Governance Guidelines, item 3.4
A. Introduction
Internal Control 2006: The Next Wave of Certification — Guidance for Management
Some small issuers may face a special challenge: the new requirement for
2006 calls for certification as to the effectiveness of ICFR design, yet the lack
of personnel and financial resources for many of these issuers may result in
material weaknesses in ICFR — weaknesses that cannot be readily corrected
in a cost-effective way. This could preclude them from providing the required
certification about ICFR design, thus also preventing them from signing and
filing the full certificate (since no amendments to certificates are permitted).
How this situation may be dealt with and disclosed is an important issue that
is discussed later in this publication.
Boards of directors and audit committees
The certification requirements raise important questions for audit committees and boards of directors. What is their role in the process? What exposure
would result if it was determined that a weakness existed in the design of ICFR
after it had been certified by the CEO and CFO and not mentioned in the
board-approved MD&A? What exposure would result if material accounting
errors are discovered after the documents are filed, as well as the CEO’s and
CFO’s certification of the design of ICFR, but with no weaknesses reported in
the MD&A, which the audit committee had reviewed and the board of directors approved?
A shorter companion publication is directed at the oversight needs and responsibilities of audit committees and boards of directors. The companion publication places special emphasis on the role of the board of directors regarding the
organization’s overall control environment and “tone at the top,” which have
an overarching influence on ICFR. Audit committees or boards of directors
seeking more detailed information on specific aspects of the process followed
by CEOs and CFOs in preparing to certify the design of ICFR should refer to
this publication.
A. Introduction
B
The Four Phases
of Certification
Multilateral Instrument 52-109, CEO and CFO Certification was issued in
2004 and contains requirements similar to the US SOX-related certification
rules, issued by the Securities and Exchange Commission (SEC). Since 2005,
MI 52-109 has applied to all reporting issuers, although Canadian issuers
that are also SEC registrants may use the certifications they prepare for US
purposes to satisfy the Canadian requirements. There are no exemptions for
venture issuers, unlike those provided to companies listed on the TSX Venture Exchange for certain audit committee requirements and corporate governance disclosures.
The CEO and CFO certification requirements are being implemented in four
phases, each of which builds on the previous one and expands the scope of the
certification.
The first phase, introduced in 2004, required chief executive officers and
chief financial officers of reporting issuers to personally certify that, based
on their knowledge, the financial statements and other financial information
contained in their annual and quarterly filings “fairly present in all material
respects the financial condition, results of operation and cash flows” of the
company. This was known as the “bare” certificate.
In the second phase, which became effective in 2005, CEOs and CFOs were
also required to certify that they had designed disclosure controls and procedures to provide reasonable assurance that material information relating
to the issuer, including its consolidated subsidiaries, is made known to them
by others within those entities. It also required CEOs and CFOs to certify
that they had evaluated the effectiveness of the issuer’s disclosure controls and
procedures as of the end of the period covered by the annual filings and had
caused the issuer to disclose in the annual MD&A their conclusions about the
effectiveness of the disclosure controls and procedures.
When MI 52-109 originally came into effect in 2004, it was not applicable in BC or Quebec.
Internal Control 2006: The Next Wave of Certification — Guidance for Management
2006 marks the introduction of the third phase of the certification. CEOs and
CFOs are now required to add the following (italicized) additional certifications to their annual certificates:
• The issuer’s other certifying officers and I are responsible for establishing
and maintaining disclosure controls and procedures and internal control
over financial reporting for the issuer, and we have:
(b) designed such internal control over financial reporting, or caused it to be
designed under our supervision, to provide reasonable assurance regarding
the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with the issuer’s GAAP;
and
• I have caused the issuer to disclose in the annual MD&A any change in the
issuer’s internal control over financial reporting that occurred during the
issuer’s most recent interim period that has materially affected, or is reasonably likely to materially affect, the issuer’s internal control over financial
reporting.
The fourth phase of CEO/CFO certification has not yet been finalized, but will
be introduced, at the earliest, in 2007. The CSA has indicated that this phase
will require CEOs and CFOs to certify that they have evaluated the effectiveness of ICFR and disclosed the conclusions of their evaluation in the issuer’s
annual MD&A. Unlike the U.S. requirements, CEOs and CFOs will not have
to issue a separate management report on internal control, nor will they be
required to obtain the external auditor’s opinion of management’s assessment
of the effectiveness of internal control or the auditor’s own assessment of the
effectiveness of internal control.
The CSA is currently revising MI 52-109 to reflect these proposals, which it is
expected to release for public comment in the fall of 2006.
CSA Staff Notice 52-311, Dec. 2005. A copy of the certificate for 2006 is provided in Appendix 1 together with a diagram illustrating the four phases of certification.
B. The Four Phases of Certification
C
Relationship between
ICFR and DC&P
The CEO/CFO certification requirements contain two control concepts — disclosure controls and procedures (DC&P) and internal control over financial
reporting (ICFR).
Reporting issuers make two types of public disclosures. One type is the
information contained in documents they are required to file with the securities regulators (including the interim and annual financial statements and
MD&As). The other type includes other voluntary disclosures made in oral or
written statements.
The CSA’s definition of ICFR relates to the reliability of financial reporting,
focusing in particular on controls over the information contained in the
interim and quarterly financial statements. Under the CSA definition, the
purpose of ICFR is to provide reasonable assurance that:
• financial statements prepared for external purposes are in accordance with
the issuer’s GAAP
• transactions are recorded as necessary to permit the preparation of financial statements, and records are maintained in reasonable detail
• receipts and expenditures of the issuer are made only in accordance with
authorizations of the issuer’s management and directors, and
• unauthorized acquisitions, uses or dispositions of the issuer’s assets that
could have a material effect on the financial statements will be prevented
or detected in order to prevent material error in annual or interim financial
statements.
For the purpose of ICFR design certifications (and related MD&A disclosures), ICFR should, in our interpretation of the CSA definitions, be regarded
as an element or sub-set of DC&P. This means any material weakness in the
See Appendix 2 for CSA definitions of DC&P and ICFR.
This interpretation is consistent with that expressed in Appendix III of “Perspectives on
Internal Control Reporting”, December 2004, by Deloitte & Touche LLP, Ernst & Young LLP,
KPMG LLP and PricewaterhouseCoopers LLP (USA). Part 6 of the Companion Policy to MI
52-109 also discusses this matter, indicating substantial but not complete overlap of DC&P
over ICFR.
Internal Control 2006: The Next Wave of Certification — Guidance for Management
design (or operating) effectiveness of ICFR should be disclosed in the MD&A,
as would any other weakness identified in management’s conclusions about
the effectiveness of DC&P.
The following diagram illustrates the relationship between an organization’s
overall control structure, its disclosure controls and procedures and its internal control over financial reporting. The diagram is intended to illustrate
that ICFR is narrower than DC&P, which, in turn, is more restricted than
Categories of Control
Overall Business
Control Structure
Controls over information
contained in other public
disclosures
Disclosure Controls and
Procedures (DC&P) per
MI 52-109 Definition
Internal Controls over
information contained
in annual and quarterly
financial statements
(ICFR) per MI 52-109
Definition
the controls over all public disclosures, and they, in turn, are less encompassing than the total set of controls within an organization to help it achieve its
objectives.
The relationship between disclosure controls and civil liability for disclosures
in the secondary market is important. Directors, officers and issuers are entitled to a due diligence defence, which would include placing reliance on the
issuer’s disclosure system and controls, providing they have conducted a reasonable investigation to support such reliance. The CEO and CFO certifications, and the process the CEO and CFO follow to support their certifications,
would be an important component of such a defence.
The CEO and CFO certifications contemplated by MI 52-109 address only
controls over documents that are required to be filed with a securities regulator. Audit committees or boards of directors that want to rely on disclosure
controls over other voluntary disclosures (e.g., annual reports or conference
calls with analysts) must ensure that the controls over these disclosures are
either included in the CEO/CFO certification process or are evaluated in some
other manner.
C. Relationship Between ICFR and DC&P
Internal Control 2006: The Next Wave of Certification — Guidance for Management
Key Messages
• Disclosure controls and procedures (DC&P) and internal control over financial
reporting (ICFR) are defined terms in MI 52-109. The CSA definition of ICFR
focuses on the financial statement component of financial reporting.
• Material weaknesses in the design of ICFR should be disclosed in the MD&A in a
manner similar to the disclosure of material weaknesses in DC&P.
• In light of Ontario’s civil liability legislation, issuers may wish to expand their
operational definition of DC&P to include all public disclosures and not just
information contained in documents that are required to be filed with a securities regulator.
C. Relationship Between ICFR and DC&P
D
ICFR and Stages
in Business Growth
ICFR is not just about satisfying the financial reporting requirements of securities regulators. A well designed ICFR system provides reasonable assurance
that assets are safeguarded, and that accurate and reliable financial information and performance measures are reported on a timely basis to decision
makers. In short, a well designed ICFR contributes to the enterprise’s ability
to make decisions to help it achieve its business objectives, including those
regarding competitive advantage and long term development. Weak ICFR is
not just a financial reporting risk, it may represent a principal risk to the organization and the achievement of its overall business objectives.
To meet these business objectives, ICFR must address the challenges, opportunities and risks the business faces as it competes for market share, customers, people and capital in its industry. Because these challenges and risks are
different at the various stages of a company’s evolution, the required approach
to ICFR will also differ.
At a given point in time, a company is typically in one of the following five
stages of growth:
1. Start-up/Exploration
2. Rapid growth
3. Maturity
4. Transformation
5. Decline
Management must ensure that the design of ICFR addresses the risks related
to each growth stage and is appropriately modified as the company transitions
from one stage to another.
1. Start Up/Exploration.
These companies typically have yet to establish the markets or customer bases
to generate sustained profits and cash flows. They often lack strong accounting
and financial capabilities, and must closely monitor and project cash flows
to protect against burning through the capital provided by the owners and
11
Internal Control 2006: The Next Wave of Certification — Guidance for Management
raised in the Initial Public Offering. Their ICFR design issues relate to basic
accounting, tax and cash flow management, and minimizing the potential for
management override of controls by the CEO and/or controlling shareholder,
who may still attempt to run the business as if it were a private company.
2. Rapid Growth.
Keeping pace with double digit growth and struggling to supply sufficient
product to keep up with customer demand are just some of the challenges facing these companies, which often must address a range of issues demanding
time and money that stress their management and accounting systems. Their
ICFR design issues include the need to acquire the accounting capabilities to
keep pace with, and catch up to, revenue growth and acquisition programs.
Because it takes significant time and resources to implement these capabilities
– which compete with the time and resources needed to keep up with customer demand -- the ICFR design solution is often to leave things as they are,
or put in place “spread sheet interfaces” and other “workarounds.”
3. Maturity.
These solidly profitable companies with significant market share, loyal customers, a sizeable work force, good cash flow and routine business operations usually have several layers of management and a number of policies and
business processes. Often, management attempts to flatten its management
structure and streamline processes through automation and outsourcing to
enhance productivity and improve shareholder returns. These businesses may
also be spun off into structures such as income trusts, which create their own
financial reporting challenges.
Mature companies’ ICFR design issues often relate to establishing effective
entity level controls, enterprise risk management programs, accountabilities,
and redesigning process controls to improve efficiency. In large mature organizations, ICFR can become overly bureaucratic, procedure driven and provide a false sense of comfort with respect to ICFR effectiveness. There is a risk
that process redesign and reengineering programs will result in management
losing control of their billing, costing and accounting systems, which highlight important ICFR design considerations in areas such as revenue recognition or loss provisions. Multi-location and international operations, as well
as the decentralization of operations and information systems may present
further ICFR challenges.
4. Transformation.
Should revenue growth level off and customers’ loyalty wane, companies will
either reinvent themselves to get on a new “growth curve” or fall into a further stage of decline. Entering into new markets often requires considerable
entrepreneurial skills and agility, so many larger mature organizations will
accomplish their transformations through joint ventures, new investors and
strategic partnership arrangements.
The implications for ICFR design in these companies are significant. Transformation is much more than the re-engineering of a business process or
processes. The risks must be clearly understood. ICFR must be designed to
maintain management control during the transformation process, and ensure
that financial reporting, including key performance metrics, is accurate and
12
D. ICFR and Stages in Business Growth
Internal Control 2006: The Next Wave of Certification — Guidance for Management
reliable no matter how bad the results may be. The documentation of and
adherence to both new and pre-existing policies and controls may be another
issue to address.
5. Decline.
Companies with falling sales and profits and negative cash flow often reduce
their workforces and cut programs in an attempt to restore profitability and
cash flow, and alleviate the concerns of investors and analysts. These companies must balance their ICFR needs with the business’s need to cut its cost
structure. Too often, though, cost cutting programs also impair the effectiveness of ICFR and reduce institutional memory and weaken the capability to
produce reliable financial reporting.
Key Messages
• Businesses are not static, but are continually changing and evolving. ICFR must
change as business changes from one growth cycle to another.
• The design of ICFR that is appropriate to one growth cycle may not be effective
in another. For example, the ICFR design for a large mature organization is not
appropriate for a start-up; similarly, the design of ICFR in a start-up enterprise
will need to change as revenue and business grow.
• Understanding where the business is on the growth cycle will help CEOs, CFOs
and audit committees assess risks and determine the key issues that must be
addressed in ICFR design.
• In larger companies, operating subsidiaries and business units may be in different stages in the growth cycle, which further complicates ICFR design.
13
D. ICFR and Stages in Business Growth
E
Developing an Approach for
Certifying the Design of ICFR
In 2006, CEOs and CFOs are required to assess the design of ICFR, but not its
operating effectiveness. It is difficult to fully assess “design” without also considering “operating effectiveness.” History is full of examples of grand designs
that never worked in practice (many elaborate, early concepts for man-powered flight, for example). Therefore, CEOs and CFOs must adopt an organized,
disciplined and documented process for assessing the design of ICFR to support their certification. It is advisable for the audit committee to review and
approve this process at the outset, since the conclusions on DC&P, including
those about the design of ICFR and any material changes in ICFR during the
preceding quarter, will need to be disclosed in the MD&A.
Overall considerations
Management should begin their approach to certification about ICFR design
by developing a methodology whereby the nature, extent and timing of the
steps in the process are based on principal financial reporting and disclosure
risks and enable management to draw reliable conclusions about the design of
ICFR. It is also useful to bear in mind the four objectives of ICFR as discussed
earlier. Some factors to consider are:
• The assessment should be “top down” and “risk based” to ensure that the
focus is on the important financial reporting and disclosure risks and
issues.
• CEOs should play, and be seen to play, an active role in the process — helping set priorities and areas of focus, attending key meetings and participating in decisions about the assessment of findings and required disclosures,
including those in the MD&A. The CEO’s active involvement signals to the
entire organization that ICFR and the design certification are important
and helps ensure that the “tone at the top” is reflected in the approach to
ICFR. CEOs also bring perspective, insight and judgment to the process
that help ensure that ICFR is aligned with core business processes, including risk management, the use of key performance indicators to monitor
operational and financial results, and continuous improvement in business
processes and IT.
15
Internal Control 2006: The Next Wave of Certification — Guidance for Management
• Management should develop and document their assessment approach,
which should include some level of testing (see the discussion on controls
that mitigate key financial reporting risks),
• Where possible, the assessment process should not be a stand alone process. It should be integrated with management’s ongoing control monitoring activities and anticipate the future need for management’s evaluation
of and certification about ICFR effectiveness.
• The CEO and CFO should inform the audit committee about their approach
and process and involve the audit committee where appropriate, such as
obtaining its comments on the proposed ICFR design certification process
at the outset.
Designing effective ICFR is not a mechanical process and, consequently, certifying its design cannot be performed in a mechanistic manner. The goal is
to assess whether there is an appropriate mix of controls that work effectively
together to achieve the objectives of ICFR set out in MI 52-109. Other important issues for CEOs and CFOs to consider as they plan their approach to
assessing the design of ICFR include:
Using a control framework.
The CSA leave the decision to use a control framework to the CEO and CFO.
There are benefits to adopting a recognized control framework, particularly
when CEOs and CFOs will also have to certify on the operating effectiveness
of ICFR. COSO’s 1992 Internal Control — Integrated Framework is the most
commonly used framework; smaller issuers should consider COSO’s “Internal
Control over Financial Reporting — Guidance for Smaller Public Companies”
(June 2006). The CICA’s 1995 Guidance on Control (CoCo) provides another
recognized framework of control criteria.
Preventive and detective controls.
There are two types of controls: those that prevent errors from occurring (e.g.,
accounting policies, safeguarding of assets) and those that monitor performance and detect errors that have occurred (e.g., internal audit, review of
reconciliations, monitoring of financial performance against budgets). An
effective ICFR should achieve a balance between preventive and detective
controls.
Entity wide controls and process level controls.
Effective ICFR must balance preventive and detective controls at the entity
level with those at the process level.
16
E. Developing an Approach for Certifying
the Design of ICFR
Internal Control 2006: The Next Wave of Certification — Guidance for Management
Alignment with sub-certification processes.
For DC&P purposes, many larger companies have established sub-certification processes, whereby the direct reports to the CEO and CFO provide formal certifications to them on the:
• completeness and accuracy of the financial information pertaining to their
areas of responsibility, and
• effectiveness of disclosure controls and procedures.
Larger organizations should consider whether this process should include
sub-certifications from those business unit and finance executives who have
important responsibilities in the financial reporting process.
Sub-certifications by junior officers and managers are not a substitute for the
CEO’s and CFO’s own diligence and knowledge, nor for ensuring that the
company has effective DC&P and ICFR. However, a well designed sub-certification process that encompasses DC&P and the design of ICFR can add discipline to the financial reporting and disclosure process, positively reinforce the
need for effective ICFR and help sustain a corporate culture that places a high
value on accurate and timely financial reporting and disclosure. It can also
form the backbone of an accountability system for financial reporting.
Perhaps the most useful benefit of a well designed sub-certification process is
the opportunity it provides for CEOs and CFOs to engage business unit leaders in the financial reporting process, thereby helping those leaders to better
understand the importance of risk management and effective control and, in
so doing, better manage their business units.
To be effective, sub-certification processes should cover and be aligned with
all of the issuer’s control systems and business units and should:
• include a review of how the senior business and finance leaders of each business unit and “control system” satisfy themselves that the design of ICFR in
their area of responsibility provides reasonable assurance of attaining the
four key objectives of ICFR
• be integrated with the management reporting and accountability structures through which senior management monitors performance and manages the business and financial risks
• educate the people involved in the sub-certification process regarding its
purpose and their responsibilities, and
• support a culture of openness and trust that enables people to raise issues
(e.g. potential ICFR design weaknesses) or questions without fear of criticism or reprisal.
CEOs and CFOs who follow the process suggested below, and document how
it was applied, will have a demonstrable, reasonable basis for providing the
certifications they are required to make concerning the design of ICFR.
17
E. Developing an Approach for Certifying
the Design of ICFR
Internal Control 2006: The Next Wave of Certification — Guidance for Management
Process for certifying the design of ICFR
The following chart outlines a seven-step process that CEOs and CFOs may
choose to follow for certifying the design of ICFR. The steps are discussed in
detail in sections
F, G and
Process
forH.Certifying the Design of ICFR
Preparation
Stage
Assessment of
Design Stage
1
2
3
Review Relevant Control
Information
Identify Relevant Control
Systems and Material Account Balances
Review Principal Financial Reporting
and Disclosure Risks
4
5
Assess Control Environment
Assess Other Entity Level Controls
6
6
6
6
6
6
6
Assess Findings, Form Conclusions
and Make Disclosures
E. Developing an Approach for Certifying
the Design of ICFR
Process Control G
Process Control F
Process Control E
Process Control D
Process Control C
18
7
Process Control B
Process Control A
Conclusions and
Disclosure Stage
F
Certification Process:
Preparation Stage
Before they can begin assessing the design of ICFR, management should first:
• review relevant control information
• identify relevant controls systems and account balances, and
• review principal financial reporting and disclosure risks.
Preparation
Stage
Review Relevant Control
Information
2
3
Identify Relevant Control
Systems and Material Account Balances
Review Principal Financial Reporting
and Disclosure Risks
1. Review relevant control information
The first step is to collect control information to help identify areas where
design weaknesses in ICFR might exist. A survey of US companies reporting
on ICFR under SOX 404 found that “indicators” of a material weakness in
ICFR included:
•
•
•
•
•
•
•
restatements of previously issued financials
material audit adjustments
ineffective audit committee
ineffective internal audit or risk assessment function
ineffective regulatory compliance function
fraud of any magnitude by senior management, and
failure to timely correct significant deficiencies.
Areas where significant deficiencies in ICFR occurred included:
•
•
•
•
selection and application of accounting policies
antifraud programs and controls
non-routine and nonsystematic transactions, and
period end financial reporting process, including journal entries.
Identified in a study of SEC registrants’ public disclosures conducted by the Ives Group for
Deloitte & Touche LLP.
19
Internal Control 2006: The Next Wave of Certification — Guidance for Management
It is also informative to review the areas of weaknesses identified in the SOX
404 ICFR reporting (percentages represent the proportion of companies
reporting the weakness):
•
•
•
•
•
•
•
tax accruals, deferrals etc. revenue recognition inventory/vendor cost of sales fixed/intangible assets
leases or contingencies
depreciation/amortization consolidation/Variable Interest Entities
31.8%
31.1
27.2
18.5
16.6
12.6
8.9
An analysis of these weaknesses found they related to:
• material year end adjustments
52.6%
• restatements of financials
49.2
• personnel issues
47.7
• segregation of duties
21.0
• IT processing, access issues
20.7
• internal audit issues
2.5
Other sources of information to consider to help identify areas that might
indicate ICFR design weaknesses include:
• reports by internal audit
• management letters and audit committee communications provided by the
external auditors
• errors detected by both management and the external auditors in the financial statement preparation and closing process — irrespective of whether
these errors were subsequently corrected
• communications from regulators, for example concerns expressed in continuous disclosure reviews, and
• communications received from employees and others, e.g. as a result of the
whistle blowing process
Preparation
Stage
Review Relevant Control
Information
Identify Relevant Control
Systems and Material Account Balances
3
Review Principal Financial Reporting
and Disclosure Risks
2. Identify relevant control “systems”
and material account balances.
It helps to decompose ICFR into meaningful sub-categories. These sub-categories may include the principal processing and accounting systems, including the related material account balances, to which particular process level
controls apply, within the context of the control environment and other entity
level controls. A typical set of accounting systems would include:
•
•
•
•
•
•
financial statement closing and preparation process
revenue recognition, receivables and receipts
purchases, payables and payments
payroll
capital expenditures, acquisitions and disposals, and
finance and treasury.
From a study conducted by Audit Analytics of 629 companies that reported material weaknesses in the first year of SOX 404. The study was published in Section 404 Internal Control
Material Weaknesses Dashboard — Results for the first full year of Section 404 disclosures,
April, 2006
20
F. Certification Process: Preparation Stage
Internal Control 2006: The Next Wave of Certification — Guidance for Management
Reporting issuers are required to prepare their financial statements on a consolidated basis under the issuer’s GAAP. Therefore, the certification of DC&P
and ICFR will include subsidiaries whose financial statements are included
in the consolidated financial statements. Larger companies whose accounting
systems vary by subsidiary will need to separately consider each subsidiary’s
accounting system, where the subsidiary may be material relative to the issuer’s financial reporting.
CEOs and CFOs of issuers that consolidate their financial results and MD&A
with those of a subsidiary that is also a reporting issuer need to determine the
level of due diligence required in respect of the consolidate subsidiary in order
for them to provide the issuer’s certification.10
In smaller companies, the accounting systems to be assessed are likely to be
more obvious and straight forward.
Preparation
Stage
Review Relevant Control
Information
Identify Relevant Control
Systems and Material Account Balances
Review Principal Financial Reporting
and Disclosure Risks
3. Identify major financial reporting risks
ICFR should provide reasonable assurance that significant financial reporting and other financial disclosure risks are effectively controlled, and will
not produce misleading accounting results or disclosures. Therefore, the next
step in preparing to certify the design of ICFR is to identify the major financial reporting risks that are to be considered at each step in the assessment
stage, including the final stage where findings are assessed and conclusions
are formed.
Boards of directors have a responsibility for the identification of the principal risks of the issuer’s business, including principal financial reporting and
disclosure risks, and ensuring the implementation of appropriate systems to
manage these risks.11
Entity-level management processes for identifying and addressing principal
business risks should include financial reporting and disclosure risks since
these can have serious adverse consequences to the issuer. Investor confidence
and market reputation are sensitive to disclosure and reporting deficiencies
and uncertainties. Enterprise risk management as an integrative management system can enhance management’s ability to identify, view and assess
the potential impact of financial reporting and disclosure risks from a “topdown” strategic perspective, not just at the level of business processes and
transaction processing.
A robust process for identifying financial reporting and disclosure risks
enables CEOs and CFOs to focus on the areas of greatest potential for financial reporting errors and omissions and, for each identified control “system,”
assess whether the design of ICFR is likely to reduce these risks to an acceptable level. If a company does not have a robust process for identifying principal business risks, then it should consider establishing one to ensure, among
other things, that its ICFR will address financial reporting risks. A significant
financial reporting risk that is not adequately addressed by the issuer’s ICFR
would likely constitute a design weakness.
10
Companion Policy to MI 52-109
11
CSA NP 58-201, 3.4
21
F. Certification Process: Preparation Stage
Internal Control 2006: The Next Wave of Certification — Guidance for Management
The bottom line is this: CEOs and CFOs need to have a reasonable, supportable and documented basis for concluding whether the controls that comprise
ICFR address all major financial reporting and disclosure risks. Any such risk
that is not addressed will represent a significant, even material, weakness in
ICFR and, therefore, in DC&P.
CEOs, CFOs and management may wish to take the following steps to assess
whether the design of ICFR adequately reduces key financial reporting risks
to an acceptable level:
• identify the key controls that address the identified financial reporting
risks
• assess and form judgments as to whether these controls are likely to provide reasonable assurance for the mitigation of these risks; in making its
assessment, management should consider the control related information
obtained, and past experience, and
• conduct a walkthrough or “test of one” for all key controls to assess whether
the control has been placed into operation.
Key Message
• CEOs and CFOs should determine whether the principal disclosure and financial
reporting risks have been identified. At the end of the design certification process, they should also determine whether those risks are adequately addressed
by controls to reduce to an acceptable level their potential to prevent achievement of the four objectives of ICFR.
22
F. Certification Process: Preparation Stage
G
Certification Process:
Assessment Stage
The next steps in the process involve utilizing the information collected in the
preparation stage to assess the quality of:
• the overall control environment
• all other entity level controls, and
• relevant process level controls.
Assessment of
Design Stage
4. Assess the quality of the control environment
Assess Control Environment
Assess Other Entity Level Controls
Process Control G
Process Control F
Process Control E
Process Control D
Process Control C
Process Control B
Process Control A
Recent high-profile accounting scandals and convictions of CEOs demonstrate that effective ICFR ultimately depends on the integrity of the CEO and
a culture of integrity within the organization. These are critical aspects of the
control environment, often referred to as the “tone at the top.” The control
environment is directly impacted by the board’s expectations for business
conduct, which, in accordance with sound corporate governance principles
and practices, are first shaped in the boardroom, and then communicated to
the rest of the organization, thus setting the context for all other business
controls, including ICFR.
The following diagram illustrates the linkage of corporate governance with
control and ICFR.
23
Internal Control 2006: The Next Wave of Certification — Guidance for Management
A recent international review of current developments in and convergence of
thinking about internal control states:
The importance of the tone at the top and the culture and ethical framework throughout the organization is fully acknowledged and considered
essential to the successful implementation of an internal control system.12
The CEO’s and CFO’s assessment of the control environment should also be
reviewed by the audit committee and board as part of their oversight of the
certification process. The five elements to consider in assessing the control
environment are discussed below.
Board responsibilities
Recognized corporate governance principles and practices embedded in
CSA guidelines and disclosure requirements emphasize the board’s role in
formulating, communicating and monitoring their expectations about business conduct. These guidelines state that the board’s mandate should include
a statement of responsibility for the issuer’s internal control and management
information systems13. The guidelines further state that the board should satisfy itself regarding the integrity of the CEO and other executive officers, and
the CEO’s and other executive officers’ efforts to create a culture of integrity
throughout the organization.
The “tone at the top” cannot be “designed” in the same sense as operational
or financial policies and procedures. The board, the CEO and senior management can, however, put in place the fundamental principles and expectations
to shape the control environment and create a culture of integrity, which is
normally reinforced by the example set by the CEO and senior management.
The potential for the CEO, CFO and/or controlling shareholder to override
controls is also a risk that depends, to a great extent, on the control environment, particularly the objectives the board sets for the CEO and the board’s
monitoring of the CEO’s performance.
Code of conduct
The board can communicate its expectations for corporate behaviour through
a code of business conduct and ethics. The CSA calls for all boards to adopt a
written code of business conduct and ethics, and to monitor compliance with
the code.14 TSX-listed companies are also required to make disclosures about
their adoption and monitoring of such a code.15
The failure to adopt and monitor compliance with a code of business conduct
does not automatically create an ICFR “design weakness.” It does, however, in
our view, create a likelihood of such a weakness, which may be mitigated by
other specific procedures or actions taken by the board and senior management.
12
International Federation of Accountants Information Paper, August, 2006, Internal Controls — A Review of Current Developments, page 14
13
National Policy 58-201 Corporate Governance Guidelines, item 3.4
14
CSA NP 58-201, Corporate Governance Guidelines, items 3.8 & 3.9
15
CSA NI 58-101, Disclosure of Corporate Governance Practices, Form 58-101, item 5
24
G. Certification Process: Assessment Stage
Internal Control 2006: The Next Wave of Certification — Guidance for Management
Whistle-blowing policy
Multilateral Instrument 52-110, Audit Committees, states that:
(7)An audit committee must establish procedures for:
(a)the receipt, retention and treatment of complaints received by the
issuer regarding accounting, internal accounting controls, or auditing
matters; and
(b)the confidential, anonymous submission by employees of the issuer of
concerns regarding questionable accounting or auditing matters
“Whistle blowing” procedures provide audit committees and boards with
information on the control environment, and the policies that help shape it.
Again, failing to establish effective “whistle blowing” procedures would not
automatically create a “design weakness,” but would probably create the likelihood of one, which may be mitigated by specific procedures or actions taken
by the board and senior management.
Compensation practices
The control environment and senior management’s behaviour can be severely
impacted when compensation schemes reward the wrong behaviours (e.g.,
motivating senior management to override ICFR in order to misstate financial
results).
The board, through its compensation committee, is expected to take responsibility for executive compensation, which would include ensuring that executive compensation programs support and reward behaviour consistent with
the code of business conduct and ethics, and board-approved corporate goals
and objectives for the CEO.16
Management’s philosophy and operating style
The preceding factors contribute to the “tone at the top” which in turn has a
major impact on the CEO’s and senior executives’ management philosophy
and operating style, including their:
• approach to taking and monitoring business risks, including those related
to disclosure and financial reporting
• attitudes and actions concerning financial reporting and disclosure
• emphasis on meeting shorter term budget, profit, and other financial and
operating goals, and
• focus on longer term business development and value creation.
The degree to which these factors are aligned with board-approved corporate goals, objectives and strategy influences management’s philosophy and
operating style. That philosophy and operating style is the interface between
the board’s expectations and the control environment, and the expectations
communicated to employees about control and the conduct of business. It,
therefore, has a significant influence over the effectiveness of other entity level
and process level controls relevant to ICFR.
The control environment has an overarching, pervasive impact on other entity
level and process level controls, including ICFR. Because the CEO and the
CFO are themselves key actors within and influencers of the control environ16
CSA NP 58-201, Corporate Governance Guidelines, items 3.15 – 3.17.
25
G. Certification Process: Assessment Stage
Internal Control 2006: The Next Wave of Certification — Guidance for Management
ment, their assessment of the control environment and culture of integrity is
unavoidably subjective — and, some might suggest, questionable. This presents a challenge for the CEO and CFO in their certification of the design of
ICFR, since they are in effect called upon to assess their own ethics, business
conduct and “culture of integrity.” The dialogue between the CEO and CFO
and the audit committee will be an important feature in reaching a balanced,
objective assessment of the control environment and its effectiveness relative
to the design (and later operation) of ICFR.
Board influence over the control environment in venture issuers
What the board of directors of a venture issuer can reasonably be expected to
do in shaping the control environment and “tone at the top” and the means
available to it to carry out those tasks deserve special attention.
NP 58-201 sets out corporate governance guidelines applicable to all reporting issuers. However, the instrument clearly acknowledges the need to “be
sensitive to the realities of the greater numbers of small companies…in the
Canadian corporate landscape”, and recognizes that “corporate governance is
evolving.” Further, NI 58-101, Disclosure of Corporate Governance Practices,
imposes more comprehensive disclosure requirements on non-venture issuers, mirroring the content of NP 58-201, than it does on venture issuers.
MI 52-110, Audit Committees, similarly acknowledges that the boardrooms
and governance practices of venture issuers can be very different from those
of non-venture issuers. It provides exemptions for venture issuers about audit
committee composition (including independence and financial literacy) and
disclosure requirements. There are, however, no exemptions for venture issuers regarding audit committee responsibilities, including the need for the
audit committee to establish “whistle blower” procedures.
Given these circumstances, how should the board of a venture issuer respond?
Two possible scenarios can be considered. In one, the board may choose to
adopt corporate governance best practices relevant to the organization’s size
and stage of growth, and do its best to influence the tone at the top, provide
oversight of the CEO and foster management integrity. This, in turn, will
strengthen key entity level controls and the company’s general “control consciousness.” Together, these activities may compensate for possible shortcomings in process level controls, such as the segregation of duties, that may be
difficult or impossible to implement in a small company. This approach might
suggest less risk and higher quality of management to analysts and investors.
In the second scenario, the board and audit committee may choose to focus
only on complying with those governance practices contained in NI 58-101
and MI 52-110 that are directly applicable to venture issuers. As a result, the
board might be less effective in setting expectations for “tone at the top” and
providing oversight of the CEO, which, in turn, would be less likely to signal
the importance of integrity in business conduct and disclosure. This could create a weak control environment, leaving the door open to undetected errors,
undesirable business conduct, unreliable or misleading financial reporting
and even management override of process level controls. This approach might
indicate greater risk and lower quality of management to analysts and investors.
26
G. Certification Process: Assessment Stage
Internal Control 2006: The Next Wave of Certification — Guidance for Management
The CEO’s and CFO’s assessment of the control environment should be a key
topic for enquiry by audit committees of both venture issuers and non-venture
issuers if financial reporting risk is to be realistically assessed.
Key Messages
• The control environment is shaped by the expectations set by the board and the
“tone at the top” established by the CEO and senior management. It has a lot to
do with the integrity of the CEO, other executive officers and their commitment
to ethical behaviour.
• The establishment of a board approved and monitored written code of business
conduct and ethics is an important feature of the control environment
• Weaknesses in either the code of business and ethics or monitoring compliance with the code would create the likelihood of a material design weakness
in ICFR.
• Assessing the control environment’s “design” by CEOs and CFOs is more subjective than assessing the design of other entity level and process level detailed
control policies and procedures.
• Audit committees and boards should ensure that the CEO’s and CFO’s assessment of the control environment is consistent with the information obtained
through the board’s monitoring of compliance with the code, its evaluation of
performance of the CEO, CFO and other senior officers, and other mechanisms
such as whistle-blowing procedures. CEOs and CFOs should be proactive in
involving audit committees in the assessment of the control environment.
• There are special considerations for CEOs, CFOs, audit committees and boards
of venture issuers in assessing the control environment and the board’s influence on it.
Assessment of
Design Stage
5. Assess the design of other entity level controls
Assess Control Environment
Assess Other Entity Level Controls
Process Control G
Process Control F
Process Control E
Process Control D
Process Control C
Process Control B
Process Control A
The control environment is a vital entity-level control created by relevant
aspects of corporate governance, the entity’s tone at the top and its culture of
integrity. However, there are other important elements of control relevant to
ICFR that function across the entity and impact its business process controls
of all types. It is, therefore, necessary to assess whether these other entity-wide
controls are designed to adequately support the achievement of ICFR objectives, with the necessary linkages among them, and an appropriate balance
between them and the process level controls for each control “system.”
Entity-level controls are those that pervade and span all parts of an organization and its business units and processes to support the achievement of all of
the organization’s objectives — strategic, operational, reporting and compliance. CEOs and CFOs should focus on the design of the entity-level controls that
are particularly relevant to external financial reporting objectives and ICFR.
27
G. Certification Process: Assessment Stage
Internal Control 2006: The Next Wave of Certification — Guidance for Management
Entity-level controls are overarching in nature, interdependent and should
function holistically in reducing risk and achieving objectives. Linkages
should exist between entity-level controls and business process controls and,
therefore, the design of the latter should take into consideration the positive
influence of the former. This is a question of balance.
Key entity-level controls that CEOs and CFOs should consider carefully in
the context of design of ICFR are the focus of the fifth step in the process for
certifying the design of ICFR. These controls include:
•
•
•
•
•
•
internal audit
management information systems and performance measures
human resource policies and practices (including compensation)
organizational structure
information technology, and
upwards communication of material information.
Some entity level controls will not necessarily exist in venture issuers, such
as internal audit. Others will exist but at a scale appropriate to the size of the
venture issuer and its stage of business growth.
Each of these controls is discussed briefly below.
Internal audit
Does the internal audit function periodically evaluate the design and operation of
process level and other entity level controls relevant to ICFR objectives? Does it
follow up on recommendations to institute or improve such control features? Is it
sufficiently well resourced and independent to be effective?
The mandates of internal audit functions vary considerably from company to
company. Smaller issuers may not even have an internal audit function or they
may outsource such activities. There are three important factors to consider in
assessing internal audit’s effectiveness in the design and monitoring of ICFR:
• Mandate: Is internal audit’s mandate and audit plan aligned to helping
achieve the objectives of ICFR or is it focused primarily on operational
efficiency and effectiveness?
• Reporting relationships: Does internal audit report to the CEO or sufficiently high in the organization to ensure that weaknesses in ICFR are
surfaced and dealt with? Does it have direct access to and a strong working
relationship with the audit committee?
• Capabilities: Does internal audit have people with the requisite knowledge,
experience and skills to effectively discharge their mandate? Does it have
the requisite policies, procedures, tools and financial resources to operate
effectively and meet its mandate?
28
G. Certification Process: Assessment Stage
Internal Control 2006: The Next Wave of Certification — Guidance for Management
Management information systems and performance measures
What financial and operational performance reports are regularly provided to management at various levels in the organization? Does management’s review of these
reports, and the actions they take in response, provide a reliable means of detecting errors or problems in underlying data and accounting systems?
A valuable benchmark for assessing the reliability of periodic external financial reports is the extent to which management at all levels receive and review
regular, reliable operational and financial reports and analyzes variances
against targets, budgets and prior period data. What may initially appear to
be “variances” may, upon closer investigation, be found to be errors in the
accounting system.
Non-financial management (i.e., operating, sales and administrative personnel) are well-positioned and equipped to detect and communicate deficiencies
in external financial reporting. However, the culture and incentives must be
conducive to such action, with suitable upward communication about significant variances and related analyses to keep the CEO and senior management
sufficiently informed and equipped to detect accounting errors and possibly
misstated or misleading external financial reporting. Therefore, the design
of ICFR should incorporate the appropriate checks and balances that involve
senior non-financial management and operating managers throughout the
organization.
Human resource policies and practices, including compensation
Are human resource policies and practices conducive to attracting, retaining,
developing and rewarding personnel for acquiring and applying the skills and
attitudes necessary for to carry out their assigned responsibilities relative to the
objectives of ICFR? Are the human resource policies and practices consistent with
management’s philosophy and operating style?
Human resource policies and practices — including those related to recruiting, job descriptions and competencies, training and career development, and
performance evaluation and compensation — reflect, among other things, the
CEO’s management philosophy and commitment to competence.
At the entity-level, human resource policies and practices have a direct impact
on the level and quality of staffing for the accounting and finance functions.
The design of business process-level controls that address the knowledge and
competence of financial staff is closely linked to and influenced by entity-level
human resource policies and practices.
29
G. Certification Process: Assessment Stage
Internal Control 2006: The Next Wave of Certification — Guidance for Management
Organization structure, and assignment of authority,
responsibility and accountability
Are authority and responsibility assigned to positions within an organization
structure conducive to the effective and efficient achievement of ICFR objectives? Are reporting relationships and accountabilities clearly established and
widely understood?
A company’s organization structure and its policies and procedures regarding authority, responsibility and accountability are driven by management’s
decisions about strategy and the execution of strategy, and by management’s
philosophy and operating style. These are important factors to consider in the
design of ICFR, particularly the way in which the organization’s accounting
and finance functions are organized and staffed, the extent to which authority
and responsibility are delegated and the extent to which there is appropriate
segregation of duties.
Accountability, in practice, is more than just an aspect of structural choices
and management policies and procedures. It is also influenced by the culture
of integrity, tone at the top, and management philosophy and operating style.
This makes it more difficult, but no less important, to consider than the other
more tangible features of ICFR design.
Information Technology (IT)
Do the appropriate entity-wide controls exist over computer hardware, business
and accounting systems and internal networks to ensure system security and data
and program integrity? Are IT controls designed according to recognized methodologies and integrated within the organization’s overall control structure?
IT controls need to be considered at three levels: Entity-wide; Application; and
Distributed processing.
Entity-wide IT controls are a key aspect of ICFR design. That is why the COSO
framework was adapted by ISACA17 and its research affiliate for their Control
Objectives for Information and Related Technology (COBIT),18 which provides guidance on the design and evaluation of IT controls for the purposes of
financial reporting objectives and ICFR.
Entity-level IT controls are distinct from application controls specific to business processes and identified control “systems.” Entity-level controls include
what are often referred to as general computer controls and are important, not
only for ICFR purposes related to external reporting, but also for the effectiveness of business and risk management information systems. At the entity
level, a particular challenge for IT and financial professionals is for them to
function effectively together in determining cost-effective control solutions
that integrate financial and operational data and information needs.
The advent of distributed processing, and the use of IT by personnel throughout an organization, often with internet access, presents its own set of complexity and IT-related risks, which in turn can pose risks that ICFR needs to
address.
17
Formerly known as Information Systems Audit and Control Association
18
COBIT expressly aims to integrate IT controls within the COSO 1992 framework, and the
more recent COSO ERM framework (2004).
30
G. Certification Process: Assessment Stage
Internal Control 2006: The Next Wave of Certification — Guidance for Management
Upwards communication of material information
Are policies and procedures in place to ensure the upward communication of
information from all business units and subsidiaries? Is the appropriate information being communicated upward to senior management so they can make timely
decisions about financial disclosures and to correctly apply accounting policies
and estimates?
Material information relating to the financial statements, from all levels of the
reporting issuer’s organization including its consolidated subsidiaries, must
be made known to the CEO and CFO, particularly during the period in which
the financial statements are being prepared.
The upward communication of material information is a key feature of DC&P
and the CEO’s and CFO’s certification of it. The CEO and CFO need to assess
specifically whether policies and procedures exist to ensure that they receive
timely information about material events and conditions across and at all
levels of the organization. That assessment will enable the CEO and CFO to
then assess whether the accounting and disclosure are complete, accurate and
appropriate. The absence of such policies and procedures would prima facie
represent an ICFR design weakness.
Issuers that have already taken steps to implement DC&P to support their
related DC&P certifications should find these steps also contribute to ICFR.
Key Messages
• The CEO and CFO must assess whether entity-wide controls are designed to
adequately support the achievement of ICFR objectives, with the necessary linkages among them, and an appropriate balance between them and the process
level controls for each control “system.”
• Key entity-level controls that CEOs and CFOs should assess include:
– internal audit
– management information systems and performance measures
– human resource policies and practices (including compensation)
– organizational structure
– information technology, and
– upwards communication of material information.
31
G. Certification Process: Assessment Stage
Internal Control 2006: The Next Wave of Certification — Guidance for Management
Assessment of
Design Stage
6. Assess process level controls
Assess Control Environment
Assess Other Entity Level Controls
Process Control G
Process Control F
Process Control E
Process Control D
Process Control C
Process Control B
Process Control A
An organization’s control structure includes controls relevant to ICFR at
the level of business processes and material account balances (e.g. revenue,
purchasing, payroll, asset management, inventory, period-end closing, etc.)
within the company and all organizational units (e.g. divisions, subsidiaries,
off-balance sheet/special purpose entities, joint-ventures etc.).
There are several types of process level control particularly relevant to ICFR.
The way they are applied and the design factors to be considered in applying
them will likely differ depending on the organization’s size and complexity.
Each type of control should be assessed for each identified control “system”
and organizational unit. The key sub-elements are described below.
Alignment with specific process financial reporting risks
Have the principal financial reporting and disclosure risks related to the control
system or organizational unit been identified?
The assessment of principal business risks at the entity level should include an
identification of principal disclosure and financial reporting risks.
In assessing the design of ICFR, some risks must be addressed at both the
entity control and process levels. For example, revenue recognition is often a
financial reporting risk in technology companies where accounting standards
are complex and difficult to apply.
The financial reporting and disclosure risks need to be identified and aligned
with each identified “control system”, organizational unit and account balance to which they are relevant.
Accounting policies and estimates
Are appropriate policies in place to guide the actions and judgments of those
involved in the recording of transactions and the preparation of the issuer’s financial statements, including necessary accounting estimates?
Well-developed accounting policies and accompanying application guidance
inform the judgments of those involved in financial statement preparation,
and also the work of the IT personnel who design (or select) the software for
correctly recording transactions.
The lack of an appropriate set of accounting policies and related guidance
(manuals, etc.) would indicate the likelihood of an ICFR design weakness.
Accounting estimates present a particularly important challenge for the
design of ICFR.
Financial statements contain many estimates. Some are made at the operational level (e.g., inventory obsolescence), others at the corporate level (e.g.,
in accounting for stock options). Some estimates have detailed specifications
(e.g., estimates of unfunded pension obligations and health care obligations),
while others have only general parameters (e.g., bad debt provisions).
Accounting estimates can have a major impact on reported results. For this
reason, they have often been used to manipulate earnings. Because of their
potential impact on reported earnings (and the potential for manipulation),
ensuring there is appropriate control over accounting estimates is an important feature of ICFR design.
32
G. Certification Process: Assessment Stage
Internal Control 2006: The Next Wave of Certification — Guidance for Management
The increasing complexity of accounting standards increases the challenge of
making appropriate accounting estimates (and making the necessary disclosures in financial statement footnotes and MD&As). For smaller companies
this can be particularly problematic if they do not have the resources necessary for such tasks.
Examples of controls the CEO and CFO should address in assessing the design of ICFR
with respect to accounting estimates include those to provide reasonable assurance that:
• all required estimates are made in preparing the financial statements
• the people involved have the requisite expertise and understand the accounting
objectives (e.g., internal actuaries, who prepare valuations for funding and accounting purposes)
• the financial and non financial data used in the making estimates are complete and
accurate (e.g., payroll and HR data supplied to actuaries to enable them to compute
pension accounting estimates)
• the assumptions used in making/computing the estimate are “reasonable” and free
from bias
• an appropriate methodology is used in preparing/computing the estimate (some
methodologies as in pensions are prescribed while other estimates depend on the
judgements of management), and is properly documented to ensure consistent application over time
• if specialists are used in preparing an estimate, there is appropriate oversight of the
selection of the specialist and the terms of the engagement
• the final estimates produced are “reasonable,” free from bias, and fairly presented in
the financial statements and MD&A, and
• senior management over-ride will be prevented (e.g., improper release of provisions
or reserves so that reported results meet analysts’ expectations).
Allocation of authority, responsibility and accountability
Is there an appropriate allocation of authority, responsibility and accountability with
respect to those involved in the preparation of the issuer’s financial statements and
the management and control of principal financial reporting and disclosure risks?
There are two specific issues for CEOs and CFOs to consider. One is the
segregation of certain duties, particularly in smaller companies where staff
resources are limited. The other is the effect that decentralization has on an
organization, which often occurs as a result of management philosophies of
empowerment and organizational flattening.
A lack of an appropriate segregation of duties, such as between purchasing,
inventory, payables and payments or personnel administration and payroll,
can create design weaknesses that may be difficult to remedy at the business
process level. In these situations, board oversight, tone at the top, a culture of
integrity and other entity level controls may be the only design features available for adequate ICFR. In addition, the periodic external reviews of transactions, reconciliations and accounts by suitably qualified professionals may
also be an acceptable remedy.
33
G. Certification Process: Assessment Stage
Internal Control 2006: The Next Wave of Certification — Guidance for Management
The segregation of duties in very small entities is often difficult since their size
limits the extent to which such segregation is practicable. In a smaller public
company, the CEO or controlling shareholder may be able to exercise more
effective oversight than they would in a larger entity, thereby compensating
for the more limited opportunities for the segregation of duties. On the other
hand, the CEO or controlling shareholder may be more able to override controls because of the more informal system of internal control.
Knowledge and competence of financial staff
Do the people involved in the preparation of financial statements have the necessary knowledge (e.g. GAAP), skills and tools to support the preparation of financial
statements and making appropriate accounting estimates?
Accounting personnel’s knowledge, skills and experience, including their
education and professional qualifications, should be assessed in relation to
their roles and responsibilities in the finance functions at the corporate and
business unit levels.
Accounting personnel must have the capability of addressing the complex and
technical challenges related to the issuer’s GAAP, tax compliance, accounting and provision estimates, etc. For example, an organization that prepares
its financial statements in accordance with US GAAP or prepares a reconciliation between US GAAP and Canadian GAAP should have the requisite
knowledge and expertise in US GAAP, or acquire it.
Smaller issuers may acquire the expertise they need by retaining expert outside legal or accounting advice to respond to what would otherwise be a significant ICFR weakness.
Control activities and documentation
Have control activities and procedures (both manual and automated) been established, documented and communicated throughout the issuer’s organization to
promote effective compliance with accounting policies, management directives
and regulatory requirements affecting financial reporting?
Application level IT controls are usually very important as well as complex.
Management must assess the manual and computer controls needed to achieve
the objectives of ICFR, including authorizations and approvals, preparation
and supervision of reconciliations, reviews of performance reports, physical
controls, variance analysis, etc..
SOX 404 and ICFR reporting in the U.S. has resulted in much more focus
on the role of IT controls at the application level. This is likely to be valuable
in Canada as the focus on design and evaluation of ICFR accelerates. Well
designed IT controls offer significant potential for enhancing the effectiveness
of controls in transaction processing systems and simultaneously reducing
compliance costs.
34
G. Certification Process: Assessment Stage
Internal Control 2006: The Next Wave of Certification — Guidance for Management
Management information and key performance indicators
Are results of operations as reported in financial statements based on accounting systems consistent or reconcilable with senior management’s knowledge of
actual business operations and with internal management information, including
key financial and non-financial performance indicators?
This is both an entity level control, as applied by the CEO, CFO and other
corporate executives, and a process level control as applied within control systems and business units.
Just as the extent to which management at all levels receive and review regular,
reliable operational and financial reports serves as a useful benchmark for
assessing the reliability of periodic financial reports at the entity level, so too
is the extent management at the business process level receives and reviews
such reports and analyzes variances against targets, budgets and prior period
data. Regular review of management reports with the CEO and CFO are valuable control features.
Similarly, it is important that the culture and incentives at the business process
level are conducive to non-financial management communicating upwards
about significant variances and related analyses.
Control monitoring and warning signals
Are there appropriate control monitoring activities (e.g. internal audit) that would
indicate weaknesses in the design of ICFR? Are other warning indicators of potential
design weaknesses in ICFR routinely monitored, such as adjustments required in
the annual closing process or the confidential, anonymous submission by employees of concerns regarding questionable accounting matters?
Other warning signals include regulators’ Continuous Disclosure reviews and
letters and, possibly, shareholder proposals and institutional investor enquiries.
While control monitoring and assessment is often considered to be an entity
level control, especially with respect to a corporate internal audit function, the
importance of its application at the business process level for ICFR purposes
should not be overlooked.
IT vendors have powerful automated tools for monitoring controls and
automatically raising alerts when pre-set error or variance conditions are
detected.
Key Messages
• An organization’s overall control structure includes controls relevant to ICFR at
the level of business processes and material account balances and at the level
of organizational units.
• The process level controls summarized above should be assessed for each
identified control system and organizational unit.
35
G. Certification Process: Assessment Stage
H
Conclusions and
Disclosure Stage
Certification Process:
Conclusions and Disclosure Stage
Assess Findings, Form Conclusions
and Make Disclosures
The final stage in the process for preparing to certify ICFR design is for the
CEO and CFO to review all the findings obtained in the preceding steps, form
their conclusions about the design of ICFR, and assess the implications for
disclosures in the MD&A and the ability of the CEO and CFO to sign their
respective certificates.
To sign their certificates, including the new certifications on the design of
ICFR required in 2006, the CEO and CFO must be satisfied that:
• the design of their ICFR will provide reasonable assurance of attaining the
four elements of ICFR, and
• there is appropriate disclosure in the MD&A of weaknesses in the design of
ICFR, as well as of any changes in ICFR in the most recent quarter.
A special situation exists if the CEO and CFO conclude that there is an uncorrected material weakness in design of ICFR as of the end of the reporting
period, such that the first condition above would not be satisfied. This situation is discussed below under “f. Deciding on signing the certificate”.
a. Review findings from assessments of ICFR design
CEOs and CFOs should review their assessment of the design of ICFR at the
entity level (control environment and other entity level controls) and at the
process level (see matrix below).
Two elements of this entity-level assessment deserve particular emphasis:
• The assessment of the expectations set forth by the board and the CEO for
the control environment and the culture of integrity, and
• Controls over principal financial reporting and disclosure risks.
Controls over principal financial reporting and disclosure risks should be
viewed as “mission critical” because these risks could create serious reporting
issues if they are not adequately controlled. A design weakness in ICFR with
respect to controlling a principal financial reporting or disclosure risk would
likely constitute a material design weakness.
37
Internal Control 2006: The Next Wave of Certification — Guidance for Management
The following matrix may be used to summarize the results of assessing the
process controls to the various identified control “systems” (business processes and units).
In Row 1, summarize the financial reporting and disclosure risks applicable to
each control “system” that has been assessed. Then, in each cell for Rows 2-7,
enter management’s preliminary conclusions for the CEO’s and CFO’s consideration, using a scale such as:
A.Evident weakness — there is a need to consider whether there is a significant deficiency that should be reported to the audit committee or a material weakness that should be disclosed in the MD&A.
B. Possible weakness — further investigation is required to reach a final conclusion.
C.No sign of weakness — the ICFR design element looks effective.
Elements:
Control system Control system Control system Control system
A
B
C
D
1.Identify
principal financial
reporting and
disclosure risks
2.Accounting
policies
3.Allocation
of authority,
responsibility and
accountability
4.Knowledge and
competence of
financial staff
5.Control
activities and
documentation
6.Management
information and
KPIs
7.Control
monitoring &
warning signals
Completing a matrix such as the one above makes it possible to identify any patterns of apparent systemic weaknesses or specific weakness in a particular business process or unit. The possibility of compensating entity level controls should
also be considered when addressing weaknesses in process level controls.
38
H. Certification Process: Conclusions
and Disclosure Stage
Internal Control 2006: The Next Wave of Certification — Guidance for Management
Any instance where the CEO and CFO, or those assisting them in applying the
elements of ICFR design, are unable to satisfy themselves will usually indicate
a potential weakness in the design of ICFR. Consideration then needs to be
given to whether any compensating control exists at the entity level that would
detect and correct any errors that slipped through this weakness.
b. Disclosure considerations and decisions
Changes will need to be made to ICFR if the CEO and CFO conclude that
the design of ICFR, all or in part, does not meet the “reasonable assurance”
threshold contemplated in the design certification requirements, and that the
impact of a single design weakness or of a combination of weaknesses could
result in a material misstatement or omission in the financial statements.
Management also needs to consider whether their materiality assessments
address the other three objectives of ICFR. Any changes made to ICFR to
remedy material design weaknesses are to be disclosed in the MD&A at the
end of the reporting period in which the changes were made.19 Following are
some important factors to be considered in making disclosure decisions about
ICFR weaknesses.
i. Categories of ICFR design weaknesses
There are three levels of disclosure for CEOs and CFOs to consider in evaluating a weakness in the design of ICFR. These are:
• Type A — weaknesses that are considered to be material, and should be
disclosed in the MD&A as well as to the audit committee and external
auditors
• Type B — weaknesses that are not considered to be material but are significant enough to be communicated to the audit committee and external
auditors, and
• Type C — weaknesses that are not significant from an external reporting
perspective, but should be communicated to the appropriate member of
management for remediation.
Issuers should develop their own criteria for applying these categories in practice. These criteria should be developed in consultation with internal audit,
the external auditors and the audit committee in the interests of consistency
in disclosure and internal communication.
When an ICFR design weakness is identified, it is necessary to evaluate its
significance and decide which category it falls into. This decision involves:
• deciding whether the ICFR design weakness could result in a material
error in or misstatement of the financial statements, on either a qualitative
or quantitative basis, and
• the likelihood of such an error or misstatement actually occurring in future
periods.
ii. Materiality
The accounting literature contains guidance in making materiality determinations from both a qualitative and quantitative perspective. Unfortunately,
no Canadian guidance is available to help management evaluate the likeli19
For December 31 2006 year end annual MD&As, this will be the fourth quarter.
39
H. Certification Process: Conclusions
and Disclosure Stage
Internal Control 2006: The Next Wave of Certification — Guidance for Management
hood of errors occurring, or what would constitute a “low” likelihood vs. a
“high” likelihood. There is, however, guidance in the U.S. literature, and the
following is a summary of the U.S. material for external auditors in evaluating
control deficiencies, which may be useful to CEOs and CFOs in assessing the
impact of deficiencies detected in ICFR design. The U.S. PCAOB20 has defined
a material weakness as “a significant control deficiency, or combination of
deficiencies, that results in a more than remote likelihood that a material misstatement of the annual or interim financial statements will not be prevented
or detected.” All material weaknesses would need to be disclosed. In the U.S.,
control deficiencies that are less serious than a material weakness are required
to be disclosed to the audit committee. If one or more material weaknesses
exist at the company’s year end, management and the external auditor must
conclude that ICFR is not effective.
The U.S. test of “more than a remote likelihood” that a material misstatement
will not be prevented or detected by the ICFR design weakness is a low threshold and tough standard to use in the assessment of ICFR design weaknesses.
However, it needs to be considered, since it could be used by the courts in the
absence of a Canadian definition or authoritative guidance. As a result, CEOs
and CFOs should use their professional judgment in assessing their findings
with respect to the design of ICFR and determining the appropriate disclosure
in the MD&A.
Any material design weakness in ICFR should, in our view, be disclosed in
the MD&A since it is likely to affect the effectiveness of DC&P. We consider
this to be a prudent practice that ensures relevant information is provided
to investors. In the absence of a disclosure referencing a design weakness in
ICFR, investors are likely to assume that the design of ICFR is effective and
that there are no material weaknesses to disclose.
We also point out that, if there is a restatement in a subsequent reporting period
to correct financial statement errors that occurred in the current reporting
period, regulators (and potential plaintiffs) will look to see whether a design
weakness in ICFR was disclosed to alert the reader of the financial statements.
If a design weakness was identified but not disclosed, then the burden of proof
will be on the officers and directors to justify their decision not to disclose.
iii. A decision tree on disclosure of material weaknesses
It is necessary to consider the need for disclosure of ICFR design changes for
weaknesses that are identified but not remediated before the annual financial
statements are finalized.
Where an ICFR design weakness is identified before the 2006 annual financial
statements are finalized, an investigation should be carried out to determine
whether a material error has, in fact, occurred, what adjustments need to be
made to the draft 2006 financial statements, and whether a restatement is
required to correct errors in prior periods (interim or annual financial statements). It would be difficult for officers or directors to demonstrate “due diligence” if identified design weaknesses in ICFR were not promptly investigated
to assess their qualitative and quantitative impact.
20
Public Company Accounting Oversight Board
40
H. Certification Process: Conclusions
and Disclosure Stage
Internal Control 2006: The Next Wave of Certification — Guidance for Management
A decision tree to help in deciding on the appropriate disclosures and possible
corrections to financial statements needed in relation to ICFR changes regarding weaknesses identified (but not remediated) before the financial statements
have been finalized is presented below.
Chart 1
Steps in deciding if a weakness
in ICFR design at year end
should be disclosed.
Not Likely (i.e. remote probability)
Consider an identified
ICFR design weakness
existing at year end:
Could the design
weakness fail to detect
or prevent a material
error?
Yes
Do current or prior
period F/S in fact contain
a material error?
No
Disclose design weakness
in MD&A and what management
is doing to remedy
the weakness
Advise management;
No disclosure required
Yes
Correct errors, and restate
prior period F/S if necessary
and
disclose design weakness
in MD&A
and
disclose what management
is doing to remedy the weakness
iv. Investigating the impact of ICFR design weaknesses
Investigating and correcting any financial statement errors that may have
occurred as a result of the ICFR design weakness failing to prevent or detect
them does not eliminate the need to disclose the material ICFR design weaknesses in the annual MD&A. All material weaknesses in the design of ICFR
existing at year end should be disclosed, followed by appropriate “change disclosure” in a future period when they are rectified or remediated. In our view,
remediating an ICFR design weakness should require both a “design fix” and
a test to determine that the new design is operating effectively in practice. As
a rule of thumb, we suggest that a design fix should operate effectively for at
least a quarter before it can be considered rectified, at which time the change
would be disclosed in the next interim (or annual) MD&A.
Management should also investigate and correct any errors that might occur
as a result of the ICFR design weakness in future reporting periods until
the weaknesses are remediated. For example, suppose a material weakness
in the design of ICFR is detected and disclosed in the 2006 annual MD&A.
Management should conduct an investigation to ensure that this weakness
did not result in material errors in the 2006 financial statements before these
statements are finalized and released. They should then conduct a similar
investigation in the first quarter of 2007, and in subsequent quarters, until the
41
H. Certification Process: Conclusions
and Disclosure Stage
Internal Control 2006: The Next Wave of Certification — Guidance for Management
weakness in the design of ICFR is corrected. To do otherwise could leave these
officers, and the directors, exposed to legal and/or regulatory actions if there
were a material error in the financial statements and they had done nothing
to ensure that the financial statements were fairly presented when they were
aware that a material design weakness existed in ICFR.
c. Disclosure examples
Some examples of material weaknesses disclosed by U.S. companies in their
annual filings include:
• “The company did not maintain effective controls to ensure that there was
appropriate support and documentation for reimbursement of expenditures, this control deficiency resulted in a misstatement.”
• “Management identified a material weakness in our accounting for income
taxes. Specifically the company did not maintain sufficient resources in the
corporate tax function.”
• “Management had determined that a control deficiency related to revenue
recognition on contracts entered into with customers constituted a material weakness.”
• “Two material weaknesses related to the company’s vendor debits process
and financial statement close process existed in the company’s internal
control over financial reporting.”
d. Deciding on disclosure of changes in ICFR
Paragraph 5 of the CEO/CFO certificate21 for 2006 requires CEOs and CFOs
to disclose in the MD&A any material changes in their ICFR that were made
in the most recent interim reporting period – Q4 for annual MD&As. This
applies to changes that have materially affected ICFR and those that are reasonably likely to do so in the future. The failure to make such disclosures
would compromise the completeness of the MD&A as well as the CEO’s and
CFO’s ability to certify that the filings “fairly present in all material respects
the financial condition, results of operations and cash flows of the issuer.”
A decision tree to help in deciding on appropriate disclosures and possible
corrections to financial statements needed in relation to ICFR changes in Q4
is presented on the next page. This decision tree is based on our understanding of existing published CSA material
Issuers are, of course, encouraged to follow the guidance that the CSA has
indicated it is developing about disclosure of changes in ICFR in the interim
period preceding the certification.
21
See Appendix 1 for full text of 2006 certification
42
H. Certification Process: Conclusions
and Disclosure Stage
Internal Control 2006: The Next Wave of Certification — Guidance for Management
Chart 2
Steps in deciding if a Q4
change in ICFR design
should be disclosed
Identify changes
in design of ICFR
in prior quarter (Q4).
For each change:
Was the change
in ICFR made to remedy
an identified
design weakness?
No
Investigate impact on current
and prior period F/S.
If material error/s caused,
disclose the ICFR change
in the MD&A (and correct errors
and restate prior period F/S
as necessary)
Yes
Was the change
needed as a result of
business factors, events
or decisions that would
otherwise weaken
ICFR?
Yes
Do current
or prior period F/S
in fact contain
a material error?
Yes
No
No Disclosure Required
Disclose change in design
of ICFR in the MD&A
Disclose change in ICFR
in the MD&A and correct
errors and restate prior
period F/S as necessary
e. Uncorrected material weaknesses in ICFR
A situation may arise where an uncorrected material weakness in design of ICFR
has been identified as of the end of the reporting period, appropriate MD&A
disclosure has been made about the weakness, and appropriate steps have been
taken to ensure that there is no material effect on the financial statements.
Under these circumstances, it seems unlikely that the CEO and CFO would be
able to certify that the design of ICFR provides reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements. This situation would, it might be argued, also prevent the CEO and
CFO from signing and filing the full certificate, since the Companion Policy
to MI 52-109 does not permit changes of any kind in the wording of the certificates.
If a situation such as this occurs, the matter should be brought to the attention
of the audit committee, and legal counsel should be consulted to determine
an appropriate course of action. We believe that the CSA may not object to
CEOs and CFOs signing their certificates, including the paragraph about
ICFR design, if:
• The weakness is fully disclosed in the MD&A, together with a formally
approved remediation plan, or
• The weakness is fully disclosed in the MD&A, together with a statement,
including supporting rationale, that the issuer cannot remediate the weakness.
In other situations, e.g. the weakness is reasonably capable of remediation but
the issuer has not developed a remediation plan, the CSA may be reluctant to
accept the certificate.
43
H. Certification Process: Conclusions
and Disclosure Stage
Internal Control 2006: The Next Wave of Certification — Guidance for Management
We encourage issuers to review the staff guidance that the CSA plans to
provide on disclosure regarding ICFR weaknesses, and to consult with legal
counsel and the appropriate securities commission on the disclosure and certification to be provided.
If the issuer is disclosing a remediation plan for an identified material weakness in ICFR, then in our view such a plan should clearly indicate the actions
that need to be taken and when, and the commitment and capability to carry
them out. The plan should be approved by the CFO, the CEO and the audit
committee. These disclosures should continue to be provided in future periods until the audit committee is satisfied that the remediation plan has been
fully implemented.
It would be unwise for management and audit committees to try to rationalize why an ICFR design weakness is not really material and should not be
disclosed, in order to avoid the contradiction that might arise between the
disclosures in the MD&A and the wording in the required certificates.
f. Issues for small companies
In small companies with limited resources, certain ICFR design weaknesses
(e.g., segregation of duties) may be difficult or impossible for CEOs and CFOs
to rectify in a cost-effective manner.
In addition to following the course of action outlined above regarding uncorrected material weaknesses, management and the audit committee may wish
to consider whether there are other actions that could be taken to provide
assurance to investors that these ICFR design weaknesses have not resulted
in material error in the financial statements. For example, the audit committee could engage the external auditor to perform quarterly reviews of interim
financial statements. If the audit committee engages the auditors to perform
quarterly reviews, we recommend that this fact be disclosed in the MD&A.
Additional help from the external auditors is discussed further in the next
section of this publication.
44
H. Certification Process: Conclusions
and Disclosure Stage
Internal Control 2006: The Next Wave of Certification — Guidance for Management
Key Messages
• CEOs and CFOs should review the assessment of ICFR design for each control
system and business unit relative to the principal financial reporting and disclosure
risks. A design weakness in ICFR with respect to controlling a principal financial
reporting or disclosure risk would likely constitute a material design weakness.
The possibility of compensating entity level controls should be considered when
addressing weaknesses in process level controls.
• Materiality is a critical decision, and requires CEOs and CFOs to exercise their
professional judgment. While the definition of material weaknesses in the U.S.
auditing literature is not authoritative in Canada (except for inter-listed reporting
issuers), it is relevant and needs to be considered.
• Any material design weakness in ICFR should be disclosed in the MD&A, since it
is likely to also be a design weakness in DC&P.
• It is appropriate to also disclose in the MD&A a remediation plan developed by
management to correct an ICFR design weakness, providing this plan has been
formally approved and the capabilities are in place to implement the plan.
• If a material ICFR design weakness is disclosed, but remediating the weakness
is not considered to be cost effective, then it is appropriate for management to
disclose the actions that have been taken (e.g., engaging the external auditors to
perform reviews of the interim financial statements) to ensure that this weakness
in ICFR has not contributed to material errors in the financial statements.
• MI 52-109 requires that changes made to ICFR to remedy material design weaknesses be disclosed in the MD&A at the end of the reporting period in which the
changes were made.22
• Disclosing an unremediated material ICFR design weakness in the MD&A presents a tough question for the CEO and CFO as to whether they should sign their
certificates stating that the design of ICFR is effective. The CEO and CFO should
consider the expected CSA guidance on such a situation, obtain legal advice and
review their proposed course of action with the audit committee. The securities
regulators should also be consulted if necessary.
• Finally, in assessing the design of ICFR, management should ensure that ICFR is
designed to support both internal business decision making as well as external
financial reporting. In so doing, the time and effort spent in the design and assessment of ICFR will earn a return on this investment.
22
22
For December 31 2006 year end annual MD&As, this will be the fourth quarter.
45
H. Certification Process: Conclusions
and Disclosure Stage
I
The Role of the Audit Committee
and External Auditors
MI 52-109 does not require audit committees, the boards of directors or the
external auditors to review or approve the CEO and CFO certificates. Audit
committees are, however, required to review the MD&A, which is to include
the disclosure of material weaknesses for both DC&P and ICFR and changes
in ICFR. As a result, we consider that directors need to become involved with
the certification process in relation to ICFR, and audit committees and external auditors need to exercise their respective responsibilities regarding ICFR
and related disclosures. This section summarizes, for the benefit of CEOs and
CFOs, our views about the role and responsibilities of the audit committee
and board of directors, the role of the external auditors and the ways in which
the external auditors may help the audit committee.
The responsibilities of the audit committee
and board of directors
MI 52-110, Audit Committees, states that audit committees must review the
issuer’s financial statements, MD&A and annual and interim earnings press
releases before the issuer publicly discloses this information. The board of
directors is required to approve both the issuer’s financial statements and
MD&A for release and filing with securities regulators.
Since material weaknesses in DC&P and ICFR, along with material changes in
ICFR, are required to be disclosed in the MD&A, the audit committee needs
to satisfy itself that these disclosures are complete (i.e., all material weaknesses
are disclosed) and fairly presented — just as it would for all other disclosures
included in the MD&A.
We believe directors should not just review the draft control-related disclosures, but should also understand and assess the certification process that
generated these disclosures. We make this suggestion for three reasons.
First, an understanding of the certification process would provide the audit
committee with an opportunity to better understand the strengths and weaknesses of the control systems of the issuer, and where appropriate support
from the audit committee would help to strengthen these systems.
47
Internal Control 2006: The Next Wave of Certification — Guidance for Management
Second, it provides the audit committee with an understanding of the process followed by the CEO and CFO in preparing to certify the effectiveness
of ICGR design, and the basis for the judgments exercised in the process and
assessment of findings.
Third, it should help the audit committee and directors establish a defence in
the event of proceedings under Ontario’s civil liability legislation for secondary market disclosures. It is in the audit committee’s interest to satisfy itself
with respect to the rigour of the CEO/CFO certification process, findings and
conclusions. Simply put, a rigorous certification process conducted by the
CEO and CFO should be the directors’ best friend in defending themselves
against a financial reporting or disclosure related lawsuit.
The audit committee can play an important role in supporting well designed
ICFR, and ensuring that these controls are operating effectively. Well designed
ICFR helps ensure that the audit committee and other internal users receive
timely, accurate and reliable financial information on which to make decisions. The audit committee is well positioned to review and influence the
design and operation of ICFR. The CFO is normally the primary management
interface with the audit committee; also, the external auditors, and often the
internal auditors, report to the audit committee on the results of their work.
In addition, when the board approves strategic plans, the audit committee
can monitor the adequacy of resources allocated for designing and sustaining
effective DC&P and ICFR.
The companion publication for audit committees and boards of directors
provides a set of 20 questions that audit committees and boards may wish to
ask of CEOs and CFOs as part of their due diligence and oversight process
to assure themselves that the CEO and CFO have conducted a duly rigorous
assessment of the design of ICFR.
The responsibilities of the external auditor
The external auditors can assist the audit committee and the board of directors in a number of ways, depending on the terms of their audit appointment
and the other services they have been asked to perform. Today, the audits
of Canadian public companies must be performed in accordance with either
U.S. Generally Accepted Auditing Standards (GAAS) or Canadian GAAS.
The external auditors of companies that are SEC registrants must comply with
U.S. SOX 404 requirements and perform their audits in accordance with the
auditing standards of the U.S. PCAOB , which require them to provide opinions on:
• the financial statements
• management’s assessment of ICFR, and
• the design and operational effectiveness of ICFR.
The external auditors of Canadian domestic issuers are required only to audit
and report on the annual financial statements. Under Canadian standards, the
auditor does not provide an opinion on the operating effectiveness of DC&P
or on the design of ICFR .
48
I. The Role of the Audit Committee
and External Auditors
Internal Control 2006: The Next Wave of Certification — Guidance for Management
Understanding the differences between these two sets of auditing standards
is important, since many corporate directors will sit on the boards of both
Canadian domestic issuers and SEC registrants. The following is a brief overview of the implications.
Under U.S. standards for providing the ICFR related opinions, the auditors
are required to obtain a much deeper understanding and knowledge of the
design and operating effectiveness of ICFR, enabling them to provide information likely to be of use to the audit committee. More importantly, the audit
committee and board of directors are likely to be able to rely on the auditor’s
control related opinions as reports provided by an “expert.” This additional
knowledge and assurance, however, comes at a price since the external auditors must significantly expand their review and testing of ICFR beyond that
involved in a financial statement audit.
Canadian auditing standards, on the other hand, have been developed to
support an audit of the financial statements, but not to provide additional
opinions or assurance on ICFR. In conducting the audit the auditor does,
however, obtain some insights on aspects of the design of ICFR and its operating effectiveness. As a result, the external auditors can help audit committees
understand the design of ICFR and any weaknesses they have detected in the
course of their financial statement audit. The following paragraphs illustrate
how the external auditor obtains knowledge about the design and operating
effectiveness of ICFR.
In conducting a financial statement audit, the external auditor is required
under Canadian GAAS to obtain an understanding of internal control relevant to the audit. Controls relevant to a financial statement audit are those that
pertain to the entity’s objective of preparing financial statements for external
purposes that are fairly presented, in all material respects, in accordance with
generally accepted accounting principles (GAAP) and the management of risks
that may give rise to a material misstatement in those financial statements.
When obtaining an understanding of internal control relevant to the audit,
the auditor evaluates the design of relevant controls and determines whether
these controls have been implemented. The external auditor’s objectives in
obtaining this understanding are to:
• identify types of potential misstatements of the financial statements
• consider factors that affect the risks of material misstatement of the financial statements; and
• design the nature, timing and extent of further audit procedures to be performed.
If, in determining the nature, timing and extent of further audit procedures to
be performed, the external auditor decides to rely on the operating effectiveness of specific controls, the external auditor is required by GAAS to test that
those controls operated effectively. The nature, timing and extent of tests of
the operating effectiveness of these specific controls, and the work done on the
design and implementation of controls relevant to the audit, are not intended
to, and do not provide an appropriate basis for the external auditor to form an
opinion on the operating effectiveness of ICFR as a whole. Accordingly, the
external auditor does not provide such an opinion.
49
I. The Role of the Audit Committee
and External Auditors
Internal Control 2006: The Next Wave of Certification — Guidance for Management
Communication with the audit committee
During the course of planning and performing the financial statement audit,
the auditor may identify significant weaknesses in internal control relevant
to the audit, management and the audit committee. To comply with GAAS,
external auditors are required to communicate such weaknesses to the audit
committee or its equivalent. Audit committees should, therefore, engage in
an open and frank discussion with their external auditor to ensure that they
understand the auditor’s views on the design of ICFR and any potential ICFR
weaknesses that are of concern to the auditor.
When evaluating the effectiveness of the DC&P and assessing whether the
design of ICFR provides reasonable assurance regarding the reliability of
financial reporting and the preparation of the financial statements, the CEO
and CFO should also take into account material weaknesses in internal control communicated by the external auditor.
For their part, the external auditors are associated with the MD&A and must
therefore review the MD&A to ensure its consistency with the financial statements and the knowledge they have developed during the course of the audit.
Should the external auditor conclude that the representations or disclosures
in the MD&A are inconsistent with their knowledge (e.g., the MD&A does
not disclose any weaknesses in the design of ICFR but the external auditor is
aware of design weaknesses that they consider to be material) then the external auditor is required to communicate this information to the audit committee and take whatever action is necessary.
Additional help from the external auditors
While the auditor’s communication of material weaknesses in internal controls may provide some useful insights into ICFR, the auditor cannot provide
assurance with respect to the effectiveness of ICFR through an examination of
financial statements alone. Nor can work done in a financial statement audit
provide the type of assurance given to audit committees and boards of interlisted companies subject to SOX 404. In order to receive such assurance, a
Canadian issuer would have to engage its auditor to perform an engagement
with the specific objective of providing assurance on ICFR. Such an engagement would require the auditor to perform procedures that were not included
in the financial statement audit. The terms of such an engagement should be
agreed between the auditor and the issuer (including approval by the audit
committee) and be appropriately documented. While this alternative is likely
to involve significant costs, it is probably the most effective way of minimizing the liability exposure of the issuer, its officers and directors. Whether the
benefits are worth the costs involved is something for each audit committee to
determine based on the issuer’s specific circumstances.
Another, less costly, option is for the audit committee to engage the external
auditor to perform “specified procedures” to support the audit committee’s
due diligence assertion that it conducted a reasonable investigation. Such pro-
50
I. The Role of the Audit Committee
and External Auditors
Internal Control 2006: The Next Wave of Certification — Guidance for Management
cedures might include performing tests of those controls related to principal
financial reporting and disclosure risks. In such engagements the external
auditor would:
• agree with management and the audit committee as to the procedures to
be performed
• perform those procedures, and
• report to management and the audit committee their findings.
While “specified procedures” engagements do not provide assurance on the
overall design or operating effectiveness of ICFR, they would support an
assertion that the audit committee conducted a “reasonable investigation.”
They would also provide objective evidence for management and the audit
committee to use in determining whether the disclosure of material weaknesses in the MD&A is required or not.
External auditors can also assist management with the documentation and
evaluation of control procedures. However, depending on the nature and
extent of procedures to be performed, such engagements could pose a threat
to the auditors’ independence since it could place the auditors in a position of
auditing their own work.
Key Messages
• MI 52-109 does not require the audit committee or board of directors to approve
the CEO’s and CFO’s certificates, however they should review and approve the
CEO’s and CFO’s conclusions that are disclosed in the MD&A.
• While the external auditors are not required to audit the disclosures contained
in the MD&A, they must review the MD&A to ensure that the ICFR related disclosures are consistent with the knowledge developed during the financial statement audit.
• The audit committee should ask probing questions, and obtain relevant information and reports to satisfy itself that the certification process was thorough,
rigorous and that all findings were dealt with appropriately.
• If the audit committee desires more assurance from the external auditor than
that provided in the audit of financial statements, they can:
– engage the external auditors to expand their audit procedures to provide a
report containing an opinion on the design and operating effectiveness of
ICFR similar to that provided in an audit of ICFR performed in accordance
with U.S. auditing standards, or
– engage the external auditors to perform certain “specified procedures” with
respect to ICFR and report their findings to both management and the audit
committee.
• Audit committees should encourage their organizations to take a “beyond compliance” approach that integrates ICFR into their business and risk management
practices and helps them achieve their business objectives.
51
I. The Role of the Audit Committee
and External Auditors
J
Readiness for the Fourth Phase
of Certification
The top-down, risk-based process described in this publication is intended
to help CEOs and CFOs comply in a cost effective way with the CSA requirements for 2006 certifications on design of ICFR and changes in ICFR. It also
provides the opportunity for CEOs and CFOs to put in place the foundation
for the next phase of certification which deals with the operating effectiveness of ICFR. Performing a risk based assessment of the design of ICFR, and
making the investments to remediate whatever weaknesses are identified, will
strengthen internal business control and help avoid future more costly or even
embarrassing surprises.
Assessing the design of ICFR may also identify opportunities to strengthen
governance processes, such as the way in which the board monitors the implementation of an organization’s code of business conduct and the disciplines
involved in establishing and sustaining a culture of integrity. This is essential
for effective ICFR and should contribute more broadly to effective corporate
governance.
The time and cost spent on assessing ICFR design in 2006, together with the
remediation of identified weaknesses, will be an investment that should pay
dividends in future periods.
Developing this publication brought to light two specific issues that, unless
addressed, will also affect the fourth phase of certification. We raise these
issues so that regulators and the CA profession can develop the appropriate
responses to help issuers implement these new requirements.
The first is the situation faced by an issuer who has identified and disclosed a
material weakness in ICFR at the end of 2006. CEOs and CFOs of such issuers
may be unwilling to provide the required certification about design of effective ICFR, and, since they are not permitted to modify the certificate, this may
mean they are not be able to provide any type of certificate at all. The CSA is
aware of this problem and is expected to provide staff guidance in the near
future about disclosure of ICFR design weaknesses and changes.
53
Internal Control 2006: The Next Wave of Certification — Guidance for Management
The second is the lack of guidance for small companies, especially micro cap
companies, with respect to ICFR. Many of these companies do not have the
resources to apply GAAP or design and implement effective segregation of
duties, and they often have a controlling shareholder who is the CEO. In some
areas, these small/micro cap issuers have material weaknesses in ICFR while
in other areas they have strong controls due to the active involvement of the
CEO/controlling shareholder in the business. While there are compensating
steps that issuers and their audit committees can take to ensure the reliability
of financial reporting, these may be costly. There is an urgent need, in our
view, for well-developed practical guidance on ICFR design, material weakness disclosure and mitigating strategies for these small/micro cap issuers; the
development of such guidance was well beyond the scope of this project.
The top-down, risk-based approach to assessing the design of ICFR presented
in this publication will provide a solid foundation for assessing the operating
effectiveness of ICFR when it is required. This guidance is, however, only a
beginning; it needs to be updated and enhanced as experience is obtained.
The authors and the CICA’s Risk Management and Governance Board are
anxious to obtain feedback, suggestions and ideas on how this guidance can
be improved. Comments and suggestions will be appreciated and should be
provided to rmgb@cica.ca.
54
J. Readiness for the Fourth Phase of Certification
A1
Appendix 1
Diagram illustrating the four phases of CEO/CFO certification
and the annual certificate required in 2006
The CSA’s Revised Flight Plan
Content
Certification
Control
Certification
Disclosure Controls
(DC&P)
2004
Phase 1
Management’s
Bare Certification of
Financial Information
(Annual and
Quarterly)
Phase 2
Phase 3
Phase 4
2005
Internal Controls
(ICFR)
2006
2007
Management’s
Bare Certification of
Financial Information
(Annual and
Quarterly)
Management’s
Bare Certification of
Financial Information
(Annual and
Quarterly)
Management’s
Bare Certification of
Financial Information
(Annual and
Quarterly)
Management’s
Certification of
Design and Evaluation
of DC&P
(Annual)
Management’s
Certification of
Design (Annual
and Quarterly) and
Evaluation (Annual)
of DC&P
Management’s
Certification of
Design (Annual
and Quarterly) and
Evaluation (Annual)
of DC&P
Management’s
Certification of
Design of ICFR
(Annual and
Quarterly)
Management’s
Certification of
Design of ICFR
(Annual and
Quarterly)
Management’s
Certification of
Evaluation of ICFR
(Annual –
Earliest Date)
55
Internal Control 2006: The Next Wave of Certification — Guidance for Management
Form 52-109F1 - Certification of Annual Filings
I, <identify the certifying officer, the issuer, and his or her position at the issuer›, certify that:
1. I have reviewed the annual filings (as this term is defined in Multilateral Instrument 52-109 Certification of Disclosure in
Issuers’ Annual and Interim Filings) of ‹identify issuer› (the issuer) for the period ending ‹state the relevant date›;
2. Based on my knowledge, the annual filings do not contain any untrue statement of a material fact or omit to state a
material fact required to be stated or that is necessary to make a statement not misleading in light of the circumstances
under which it was made, with respect to the period covered by the annual filings;
3. Based on my knowledge, the annual financial statements together with the other financial information included in the
annual filings fairly present in all material respects the financial condition, results of operations and cash flows of the issuer,
as of the date and for the periods presented in the annual filings;
4. The issuer’s other certifying officers and I are responsible for establishing and maintaining disclosure controls and
procedures and internal control over financial reporting for the issuer, and we have:
a. designed such disclosure controls and procedures, or caused them to be designed under our supervision, to provide
reasonable assurance that material information relating to the issuer, including its consolidated subsidiaries, is made
known to us by others within those entities, particularly during the period in which the annual filings are being
prepared;
b. designed such internal control over financial reporting, or caused it to be designed under our supervision, to provide
reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for
external purposes in accordance with the issuer’s GAAP; and
c. evaluated the effectiveness of the issuer’s disclosure controls and procedures as of the end of the period covered by the
annual filings and have caused the issuer to disclose in the annual MD&A our conclusions about the effectiveness of the
disclosure controls and procedures as of the end of the period covered by the annual filings based on such evaluation;
and
5. I have caused the issuer to disclose in the annual MD&A any change in the issuer’s internal control over financial reporting
that occurred during the issuer’s most recent interim period that has materially affected, or is reasonably likely to materially
affect, the issuer’s internal control over financial reporting.
Signature
Title
Date
56
A1. Diagram illustrating the four phases of CEO/CFO
certification and the annual certificate required in 2006
A2
Appendix 2
MI 52-109 Definitions of Disclosure Controls and Procedures and Internal Control Over Financial Reporting
From CSA MI 52-109, Part 1, 1.1:
1. Disclosure Controls and Procedures (DC&P)
“disclosure controls and procedures” means controls and other procedures of
an issuer that are designed to provide reasonable assurance that information
required to be disclosed by the issuer in its annual filings, interim filings or
other reports filed or submitted by it under provincial and territorial securities legislation is recorded, processed, summarized and reported within the
time periods specified in the provincial and territorial securities legislation
and include, without limitation, controls and procedures designed to ensure
that information required to be disclosed by an issuer in its annual filings,
interim filings or other reports filed or submitted under provincial and territorial securities legislation is accumulated and communicated to the issuer’s
management, including its chief executive officers and chief financial officers
(or persons who perform similar functions to a chief executive officer or a
chief financial officer), as appropriate to allow timely decisions regarding
required disclosure;”
2. Internal Control over Financial Reporting (ICFR)
“internal control over financial reporting” means a process designed by, or
under the supervision of, the issuer’s chief executive officers and chief financial
officers, or persons performing similar functions, and effected by the issuer’s
board of directors, management and other personnel, to provide reasonable
assurance regarding the reliability of financial reporting and the preparation
of financial statements for external purposes in accordance with the issuer’s
GAAP and includes those policies and procedures that:
(a)pertain to the maintenance of records that in reasonable detail accurately
and fairly reflect the transactions and dispositions of the assets of the
issuer,
57
Internal Control 2006: The Next Wave of Certification — Guidance for Management
(b)provide reasonable assurance that transactions are recorded as necessary
to permit preparation of financial statements in accordance with the issuer’s GAAP, and that receipts and expenditures of the issuer are being made
only in accordance with authorizations of management and directors of
the issuer, and
(c)provide reasonable assurance regarding prevention or timely detection of
unauthorized acquisition, use or disposition of the issuer’s assets that could
have a material effect on the annual financial statements or interim financial statements;”
58
A2. Diagram illustrating the four phases of CEO/CFO
certification and the annual certificate required in 2006
A3
Appendix 3
Where to Find More Information
Securities Laws and Regulations — Canada
www.osc.gov.on.ca/Regulation/Rulemaking/rrn_index.jsp
Canadian Securities Administrators (CSA)
— Multilateral Instrument 52-109 Certification of Disclosure in Issuers
Annual and Interim Filings
— Multilateral Instrument 52-109CP Companion Policy
— Multilateral Instrument 52-110 Audit Committees
— Multilateral Instrument 52-110CP Companion Policy
— National Policy 58-201 Corporate Governance Guidelines
— National Instrument 58-101 Disclosure of Corporate Governance
ePractices
— National Policy 51-201 Disclosure Standards
— National Instrument 51-102 Continuous Disclosure Obligations
— Staff Notice 52-311 Regarding Required Forms of Certificates
under MI 52-109
— Staff Notice 52-313 Regarding Status of Proposed MI 52-111
and Proposed Amendments to MI 52-109
Amendments to the Securities Act (Ontario) and Regulation 1015
(as enacted in 2005 under Bill 198)
Securities Laws and Regulations — United States
http://www.sarbanes-oxley.com/section.php?level=1&pub_id=SarbanesOxley
United States Securities and Exchange Commission (SEC)
www.sec.gov
59
Internal Control 2006: The Next Wave of Certification — Guidance for Management
CICA Publications
www.rmgb.ca
— CEO and CFO Certification: Improving Transparency and Accountability
— 20 Questions Directors Should Ask about Codes of Conduct
— 20 Questions Directors Should Ask about Internal Audit
— 20 Questions Directors Should Ask about IT
— 20 Questions Directors Should Ask about MD&A
— 20 Questions Directors Should Ask about Risk 2nd edition
— Risk Management: What Boards Should Expect from CFOs
— Financial Aspects of Governance: What Boards Should Expect from CFOs
— Integrity in the Spotlight: Audit Committees in a High Risk World
— Learning about Risk: Choices, Connections and Competencies
— Guidance on Control
— Guidance on Assessing Control
— Understanding Disclosure Controls and Procedures: Helping CEOs
and CFOs Respond to the Need for Better Disclosure
— Management’s Discussion and Analysis — Guidance on Preparation
and Disclosure
— CICA Handbook — Assurance Recommendations
Other
International Federation of Accountants
Internal Controls — A Review of Current Developments, Information
Paper, August 2006
www.ifac.org
The Committee of Sponsoring Organizations of the Treadway Commission (COSO), USA
Internal Control over Financial Reporting — Guidance for Smaller Public
Companies, 2006
Internal Control — Integrated Framework, 1992
www.coso.org
Public Company Accounting Oversight Board (PCAOB, USA) Auditing
Standard No.2
Perspectives on Internal Control Reporting — A Resource for Financial
Market Participants (Deloitte & Touche LLP, Ernst & Young LLP, KPMG
LLP, PricewaterhouseCoopers LLP; USA, December 2004)
60
A3. Where to Find More Information
Authors
About the Authors
James L. Goodfellow, FCA, is a partner and vice chairman of Deloitte
who advises boards of directors, audit committees, corporate executives and
securities regulators in Canada and internationally on corporate reporting
and governance related issues. He recently co-authored the book Integrity in
the Spotlight: Audit Committees in a High Risk World.
He served as research director for the Joint Committee on Corporate Governance, is a past chairman of the CICA Accounting Standards Board, and has
served on the CICA’s Emerging Issues Committee. He is a past chairman of
the CICA Canadian Performance Reporting Board.
He is a frequent speaker on issues related to financial reporting, corporate
governance and audit committees. He believes strongly that the external auditor should be accountable to the board of directors and the audit committee
as representatives of the shareholders, and that this repositioning of the auditor/client relationship can produce significant benefits to the effectiveness of
the audit.
Jim Goodfellow has served on the board of directors of Deloitte and, in the
past, served as the firm’s National Director of Accounting & Auditing. He is a
senior partner responsible for providing services to some of his firm’s largest
clients.
Alan D. Willis, CA, is an independent consultant in the fields of corporate
governance, performance measurement and business reporting, with a particular focus on the linkages of these topics with sustainable development and
the business value of stakeholder relations. He directed the development of
CICA’s guidance on MD&A preparation and disclosure and wrote the related
briefing “20 Questions Directors Should Ask About Management’s Discussion and Analysis.” He co-authored CICA’s publication “Learning about Risk:
Choices, Connections and Competencies.”
His first foray into the realm of corporate governance was writing a guidance booklet for audit committees and creating a documentary film about
corporate directors in 1971. He observes that both would still be remarkably
relevant today.
61
Internal Control 2006: The Next Wave of Certification — Guidance for Management
As a member of the International Corporate Governance Network, he serves
on its Non-financial Business Reporting Committee. He has worked extensively with Canadian and international initiatives to develop performance
indicators and reporting guidelines relevant to corporate management of and
disclosure about climate change impacts, environmental performance and
corporate social responsibility. He is currently engaged in a multi-disciplinary
North American project on the design of a new corporate governance model
for the 21st. century.
62
About the Authors
INTERNAL CONTROL 2006:
THE NEXT WAVE OF CERTIFICATION
Guidance for Management
277 Wellington Street West
Toronto, ON Canada
M5V 3H2
Tel: 416-977-0748
www.rmgb.ca