INTERNAL CONTROL 2006: THE NEXT WAVE OF CERTIFICATION Guidance for Management James L. Goodfellow and Alan D. Willis INTERNAL CONTROL 2006: THE NEXT WAVE OF CERTIFICATION Guidance for Management James L. Goodfellow and Alan D. Willis Copyright © 2006 The Canadian Institue of Chartered Accountants 277 Wellington Street West Toronto, Canada M5V 3H2 www.rmgb.ca Disponible en français Printed in Canada TOC Table of Contents Preface v A. Introduction 1 B. The Four Phases of Certification 5 C. Relationship between ICFR and DC&P 7 Key Messages D. ICFR and Stages in Business Growth Key Messages E. Developing an Approach for Certifying the Design of ICFR Overall considerations 9 11 13 15 15 Using a control framework. 16 Preventive and detective controls. 16 Entity wide controls and process level controls. 16 Alignment with sub-certification processes. 17 Process for certifying the design of ICFR 18 F. Certification Process:Preparation Stage 19 1. Review relevant control information 19 2. Identify relevant control “systems”and material account balances 20 3. Identify major financial reporting risks 21 Key Message 22 G. Certification Process:Assessment Stage 4. Assess the quality of the control environment iii 23 23 Board responsibilities 24 Code of conduct 24 Whistle-blowing policy 25 Internal Control 2006: The Next Wave of Certification — Guidance for Management Compensation practices 25 Management’s philosophy and operating style 25 Board influence over the control environment in venture issuers 26 Key Messages 27 5. Assess the design of other entity level controls Key Messages 6. Assess process level controls Key Messages H. Certification Process:Conclusions and Disclosure Stage 27 31 32 35 37 a. Review findings from assessments of ICFR design 37 b. Disclosure considerations and decisions 39 i. Categories of ICFR design weaknesses 39 ii. Materiality 39 iii. A decision tree on disclosure of material weaknesses 40 iv. Investigating the impact of ICFR design weaknesses 41 c. Disclosure examples 42 d. Deciding on disclosure of changes in ICFR 43 e. Uncorrected material weaknesses in ICFR 44 f. Issues for small companies 44 Key Messages 45 I. The Role of the Audit Committee and External Auditors 47 The responsibilities of the audit committee and board of directors 47 The responsibilities of the external auditor 48 Communication with the audit committee 50 Additional help from the external auditors 50 Key Messages 51 J. Readiness for the Fourth Phase of Certification 53 Appendix 1: Diagram illustrating the four phases of CEO/CFO certification and the annual certificate required in 2006 55 Appendix 2: MI 52-109 Definitions of Disclosure Controls and Procedures and Internal Control Over Financial Reporting 57 Appendix 3: Where to Find More Information iv Table of Contents 59 Preface Preface Risk Management and Governance Board Thomas Peddie, FCA, Chair Dan Cornacchia, FCA Brian Ferguson CA John Fraser, CA Michael Harris, CA Andrew J. MacDougall, LLB Peter W Roberts, CA, CPA (Illinois) Josee Santoni, CA Directors Advisory Group Giles Meikle, FCA, Chair James Arnett, QC William Dimma, F.ICD, ICD.D John Ferguson, FCA Gordon Hall, FSA, ICD.D Robin Korthals Mary Mogford, F.ICD, ICD.D Patrick O’Callaghan Ronald Osborne, FCA Guylaine Saucier, CM, FCA CICA Staff William Swirsky, FCA Vice President, Knowledge Development Gigi Dawe Principal, Risk Management and Governance The Risk Management and Governance Board (the RMG Board) of the Canadian Institute of Chartered Accountants commissioned this document to help CEOs and CFOS to fulfill their responsibilities regarding external financial reporting, in particular Internal Control over Financial Reporting (ICFR) and the related CEO and CFO certifications that are effective in 2006. The Canadian Securities Administrators’ (CSA) Multilateral Instrument 52-109, CEO and CFO Certification, requires CEOs and CFOs to include for the first time in their 2006 annual certificates statements about the design of internal control over financial reporting and related MD&A disclosures. This is in addition to the existing certifications that address disclosure controls and procedures (DC&P). This publication, a companion document to Internal Control 2006: The Next Wave of Certification, Guidance for Directors, provides CEOs and CFOs (and other management) with a top-down, risk-based process to follow in certifying the design of ICFR, including a methodology for assessing ICFR design weaknesses and deciding on necessary disclosures. This guidance combines control principles, concepts and practices derived from recognized internal control frameworks, guidance and contemporary literature about ICFR with fresh insights and proposals developed for these CICA publications. This guidance also complements existing CICA publications about control, risk, corporate governance, disclosure and CFO responsibilities. The guidance in both publications has been developed for TSX and venture issuers, since MI 52-109 applies to both. Small cap and venture issuers face special circumstances and control challenges. These are acknowledged and addressed to the extent possible at this time. The RMG Board acknowledges and thanks members of the Directors Advisory Group for their advice, the authors — James L. Goodfellow, FCA, Vice Chair of Deloitte, and Alan Willis, CA, Alan Willis & Associates — and Hugh Miller for his editorial reviews and helpful suggestions. Internal Control 2006: The Next Wave of Certification — Guidance for Management The authors are responsible for the views expressed in this publication; it does not represent, amend or replace any professional standard nor does it constitute prescribed minimum requirements. CEOs and CFOs should consult their professional advisors on any matter about which they seek clarification, further information or guidance. Tom Peddie, FCA Chair, Risk Management and Governance Board Authors James L. Goodfellow, FCA Alan D. Willis, CA Editor Hugh Miller Project Director Gigi Dawe, Principal, CICA vi Preface Dedication Dedication This publication is dedicated to the memory of W.A. (Bill) Bradshaw, FCA (1928 – 2006) a partner, friend and mentor to the authors. Bill made many unique contributions to the Canadian accounting profession. Perhaps the most significant of these was the introduction of multi-disciplinary “systems” thinking to the topics of governance, risk, control and accountability. His thoughts and insights have been invaluable to us in all our work, not least in developing this guidance — a legacy for which we are deeply grateful. vii A Introduction In their annual certificates for 2006, CEOs and CFOs will have to certify on the design of internal control over financial reporting. What steps can CEOs and CFOs take to prepare to make these new certifications? What are the implications of any material weaknesses that are identified during the process? Background The Canadian Securities Administrators’ (CSA) Multilateral Instrument 52109, CEO and CFO Certification, requires CEOs and CFOs to certify in their 2006 annual certificates that they are responsible for establishing and maintaining both disclosure controls and procedures (DC&P) and internal control over financial reporting (ICFR), and that they have “designed such internal control over financial reporting…to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with the issuer’s GAAP.” The CEO and CFO certificates are also required to state that “any change in the issuer’s internal control over financial reporting that occurred during the issuer’s most recent interim period that has materially affected, or is reasonably likely to materially affect, the issuer’s internal control over financial reporting” is disclosed in the Management’s Discussion & Analysis (MD&A). The CSA plans to further expand the CEO/CFO certification in the future to include a certification on the operating effectiveness of ICFR. Separate auditor attestation about ICFR is no longer expected under Canadian requirements. In brief, this publication provides an overview of the four phases of CSA’s certification requirements and the relationship between ICFR and DC&P, followed by a short discussion of the relevance of the stages in a company’s growth to the design of ICFR. It proposes a top-down, risk-based process for CEOs and CFOs to follow in order to assess the design of ICFR and deciding what internal and external disclosures are necessary to report their findings and conclusions. The roles of audit committees and external auditors regarding ICFR and related certification are discussed. Finally some conclusions and issues are presented about readiness for the fourth phase of certification. Appendix 1 provides a diagram of the four phases of CEO/CFO certification Internal Control 2006: The Next Wave of Certification — Guidance for Management and the annual certificate required in 2006. Appendix 2 sets out the CSA definitions of ICFR and DC&P. Appendix 3 shows where to find more information about topics referred to in this publication. Responsibility for internal control The CSA’s corporate governance guidelines state that boards should be responsible for the issuer’s internal control and management information systems. In practice, the board of directors delegates to management the responsibility for designing and implementing a system of internal control, including those elements that constitute ICFR. Internal control is widely taken to mean the processes established by management to provide reasonable assurance about achievement of the organization’s objectives regarding operations, reporting and compliance. Internal control is designed to address identified risks that threaten any of those objectives. The CSA definition of internal control over financial reporting specifies objectives relevant to financial reporting. The CEO’s and CFO’s attitudes about and approach to the certification process send a clear signal to the entire organization. When CEOs make the process a top priority and provide active leadership to it, the people who prepare financial reports, accounting estimates and financial disclosures will also make quality financial reporting a priority. Moreover, CEOs and CFOs might view the relative costs of implementing sound ICFR as outweighing the adverse impact of rectifying problems after they have become a market issue, not to mention the effect of damage to the reputations of the enterprise, its directors and officers. While this publication is directed primarily to assist CEOs and CFOs, it also aims to assist other members of management involved in the certification and reporting process who need guidance on certifying the design of ICFR in time for the 2006 annual filings. Accordingly we frequently use the term “management” throughout the publication. Implications for small issuers Certifying the design of ICFR is no small task, especially for a small company. Venture issuers are not exempt from the ICFR design certification requirement, yet there are important practical considerations for them to address that arise from the smaller size of many venture issuers. Corporate governance and audit committee practices for venture issuers may be less well developed than those in larger, non-venture issuers, partly reflecting differences in applicable CSA governance and audit committee requirements. Financial management functions and staffing may also be more limited in scale and capability in small cap and venture issues. These practical considerations for small and venture issuers are acknowledged and addressed to the extent possible in relevant parts of this document. The June 2006 US COSO publication Internal Control over Financial Reporting — Guidance for Smaller Public Companies may be of some assistance to small cap issuers, although “smaller public companies” in the US are often large compared to “smaller” Canadian public companies. CSA National Policy 58-201, Corporate Governance Guidelines, item 3.4 A. Introduction Internal Control 2006: The Next Wave of Certification — Guidance for Management Some small issuers may face a special challenge: the new requirement for 2006 calls for certification as to the effectiveness of ICFR design, yet the lack of personnel and financial resources for many of these issuers may result in material weaknesses in ICFR — weaknesses that cannot be readily corrected in a cost-effective way. This could preclude them from providing the required certification about ICFR design, thus also preventing them from signing and filing the full certificate (since no amendments to certificates are permitted). How this situation may be dealt with and disclosed is an important issue that is discussed later in this publication. Boards of directors and audit committees The certification requirements raise important questions for audit committees and boards of directors. What is their role in the process? What exposure would result if it was determined that a weakness existed in the design of ICFR after it had been certified by the CEO and CFO and not mentioned in the board-approved MD&A? What exposure would result if material accounting errors are discovered after the documents are filed, as well as the CEO’s and CFO’s certification of the design of ICFR, but with no weaknesses reported in the MD&A, which the audit committee had reviewed and the board of directors approved? A shorter companion publication is directed at the oversight needs and responsibilities of audit committees and boards of directors. The companion publication places special emphasis on the role of the board of directors regarding the organization’s overall control environment and “tone at the top,” which have an overarching influence on ICFR. Audit committees or boards of directors seeking more detailed information on specific aspects of the process followed by CEOs and CFOs in preparing to certify the design of ICFR should refer to this publication. A. Introduction B The Four Phases of Certification Multilateral Instrument 52-109, CEO and CFO Certification was issued in 2004 and contains requirements similar to the US SOX-related certification rules, issued by the Securities and Exchange Commission (SEC). Since 2005, MI 52-109 has applied to all reporting issuers, although Canadian issuers that are also SEC registrants may use the certifications they prepare for US purposes to satisfy the Canadian requirements. There are no exemptions for venture issuers, unlike those provided to companies listed on the TSX Venture Exchange for certain audit committee requirements and corporate governance disclosures. The CEO and CFO certification requirements are being implemented in four phases, each of which builds on the previous one and expands the scope of the certification. The first phase, introduced in 2004, required chief executive officers and chief financial officers of reporting issuers to personally certify that, based on their knowledge, the financial statements and other financial information contained in their annual and quarterly filings “fairly present in all material respects the financial condition, results of operation and cash flows” of the company. This was known as the “bare” certificate. In the second phase, which became effective in 2005, CEOs and CFOs were also required to certify that they had designed disclosure controls and procedures to provide reasonable assurance that material information relating to the issuer, including its consolidated subsidiaries, is made known to them by others within those entities. It also required CEOs and CFOs to certify that they had evaluated the effectiveness of the issuer’s disclosure controls and procedures as of the end of the period covered by the annual filings and had caused the issuer to disclose in the annual MD&A their conclusions about the effectiveness of the disclosure controls and procedures. When MI 52-109 originally came into effect in 2004, it was not applicable in BC or Quebec. Internal Control 2006: The Next Wave of Certification — Guidance for Management 2006 marks the introduction of the third phase of the certification. CEOs and CFOs are now required to add the following (italicized) additional certifications to their annual certificates: • The issuer’s other certifying officers and I are responsible for establishing and maintaining disclosure controls and procedures and internal control over financial reporting for the issuer, and we have: (b) designed such internal control over financial reporting, or caused it to be designed under our supervision, to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with the issuer’s GAAP; and • I have caused the issuer to disclose in the annual MD&A any change in the issuer’s internal control over financial reporting that occurred during the issuer’s most recent interim period that has materially affected, or is reasonably likely to materially affect, the issuer’s internal control over financial reporting. The fourth phase of CEO/CFO certification has not yet been finalized, but will be introduced, at the earliest, in 2007. The CSA has indicated that this phase will require CEOs and CFOs to certify that they have evaluated the effectiveness of ICFR and disclosed the conclusions of their evaluation in the issuer’s annual MD&A. Unlike the U.S. requirements, CEOs and CFOs will not have to issue a separate management report on internal control, nor will they be required to obtain the external auditor’s opinion of management’s assessment of the effectiveness of internal control or the auditor’s own assessment of the effectiveness of internal control. The CSA is currently revising MI 52-109 to reflect these proposals, which it is expected to release for public comment in the fall of 2006. CSA Staff Notice 52-311, Dec. 2005. A copy of the certificate for 2006 is provided in Appendix 1 together with a diagram illustrating the four phases of certification. B. The Four Phases of Certification C Relationship between ICFR and DC&P The CEO/CFO certification requirements contain two control concepts — disclosure controls and procedures (DC&P) and internal control over financial reporting (ICFR). Reporting issuers make two types of public disclosures. One type is the information contained in documents they are required to file with the securities regulators (including the interim and annual financial statements and MD&As). The other type includes other voluntary disclosures made in oral or written statements. The CSA’s definition of ICFR relates to the reliability of financial reporting, focusing in particular on controls over the information contained in the interim and quarterly financial statements. Under the CSA definition, the purpose of ICFR is to provide reasonable assurance that: • financial statements prepared for external purposes are in accordance with the issuer’s GAAP • transactions are recorded as necessary to permit the preparation of financial statements, and records are maintained in reasonable detail • receipts and expenditures of the issuer are made only in accordance with authorizations of the issuer’s management and directors, and • unauthorized acquisitions, uses or dispositions of the issuer’s assets that could have a material effect on the financial statements will be prevented or detected in order to prevent material error in annual or interim financial statements. For the purpose of ICFR design certifications (and related MD&A disclosures), ICFR should, in our interpretation of the CSA definitions, be regarded as an element or sub-set of DC&P. This means any material weakness in the See Appendix 2 for CSA definitions of DC&P and ICFR. This interpretation is consistent with that expressed in Appendix III of “Perspectives on Internal Control Reporting”, December 2004, by Deloitte & Touche LLP, Ernst & Young LLP, KPMG LLP and PricewaterhouseCoopers LLP (USA). Part 6 of the Companion Policy to MI 52-109 also discusses this matter, indicating substantial but not complete overlap of DC&P over ICFR. Internal Control 2006: The Next Wave of Certification — Guidance for Management design (or operating) effectiveness of ICFR should be disclosed in the MD&A, as would any other weakness identified in management’s conclusions about the effectiveness of DC&P. The following diagram illustrates the relationship between an organization’s overall control structure, its disclosure controls and procedures and its internal control over financial reporting. The diagram is intended to illustrate that ICFR is narrower than DC&P, which, in turn, is more restricted than Categories of Control Overall Business Control Structure Controls over information contained in other public disclosures Disclosure Controls and Procedures (DC&P) per MI 52-109 Definition Internal Controls over information contained in annual and quarterly financial statements (ICFR) per MI 52-109 Definition the controls over all public disclosures, and they, in turn, are less encompassing than the total set of controls within an organization to help it achieve its objectives. The relationship between disclosure controls and civil liability for disclosures in the secondary market is important. Directors, officers and issuers are entitled to a due diligence defence, which would include placing reliance on the issuer’s disclosure system and controls, providing they have conducted a reasonable investigation to support such reliance. The CEO and CFO certifications, and the process the CEO and CFO follow to support their certifications, would be an important component of such a defence. The CEO and CFO certifications contemplated by MI 52-109 address only controls over documents that are required to be filed with a securities regulator. Audit committees or boards of directors that want to rely on disclosure controls over other voluntary disclosures (e.g., annual reports or conference calls with analysts) must ensure that the controls over these disclosures are either included in the CEO/CFO certification process or are evaluated in some other manner. C. Relationship Between ICFR and DC&P Internal Control 2006: The Next Wave of Certification — Guidance for Management Key Messages • Disclosure controls and procedures (DC&P) and internal control over financial reporting (ICFR) are defined terms in MI 52-109. The CSA definition of ICFR focuses on the financial statement component of financial reporting. • Material weaknesses in the design of ICFR should be disclosed in the MD&A in a manner similar to the disclosure of material weaknesses in DC&P. • In light of Ontario’s civil liability legislation, issuers may wish to expand their operational definition of DC&P to include all public disclosures and not just information contained in documents that are required to be filed with a securities regulator. C. Relationship Between ICFR and DC&P D ICFR and Stages in Business Growth ICFR is not just about satisfying the financial reporting requirements of securities regulators. A well designed ICFR system provides reasonable assurance that assets are safeguarded, and that accurate and reliable financial information and performance measures are reported on a timely basis to decision makers. In short, a well designed ICFR contributes to the enterprise’s ability to make decisions to help it achieve its business objectives, including those regarding competitive advantage and long term development. Weak ICFR is not just a financial reporting risk, it may represent a principal risk to the organization and the achievement of its overall business objectives. To meet these business objectives, ICFR must address the challenges, opportunities and risks the business faces as it competes for market share, customers, people and capital in its industry. Because these challenges and risks are different at the various stages of a company’s evolution, the required approach to ICFR will also differ. At a given point in time, a company is typically in one of the following five stages of growth: 1. Start-up/Exploration 2. Rapid growth 3. Maturity 4. Transformation 5. Decline Management must ensure that the design of ICFR addresses the risks related to each growth stage and is appropriately modified as the company transitions from one stage to another. 1. Start Up/Exploration. These companies typically have yet to establish the markets or customer bases to generate sustained profits and cash flows. They often lack strong accounting and financial capabilities, and must closely monitor and project cash flows to protect against burning through the capital provided by the owners and 11 Internal Control 2006: The Next Wave of Certification — Guidance for Management raised in the Initial Public Offering. Their ICFR design issues relate to basic accounting, tax and cash flow management, and minimizing the potential for management override of controls by the CEO and/or controlling shareholder, who may still attempt to run the business as if it were a private company. 2. Rapid Growth. Keeping pace with double digit growth and struggling to supply sufficient product to keep up with customer demand are just some of the challenges facing these companies, which often must address a range of issues demanding time and money that stress their management and accounting systems. Their ICFR design issues include the need to acquire the accounting capabilities to keep pace with, and catch up to, revenue growth and acquisition programs. Because it takes significant time and resources to implement these capabilities – which compete with the time and resources needed to keep up with customer demand -- the ICFR design solution is often to leave things as they are, or put in place “spread sheet interfaces” and other “workarounds.” 3. Maturity. These solidly profitable companies with significant market share, loyal customers, a sizeable work force, good cash flow and routine business operations usually have several layers of management and a number of policies and business processes. Often, management attempts to flatten its management structure and streamline processes through automation and outsourcing to enhance productivity and improve shareholder returns. These businesses may also be spun off into structures such as income trusts, which create their own financial reporting challenges. Mature companies’ ICFR design issues often relate to establishing effective entity level controls, enterprise risk management programs, accountabilities, and redesigning process controls to improve efficiency. In large mature organizations, ICFR can become overly bureaucratic, procedure driven and provide a false sense of comfort with respect to ICFR effectiveness. There is a risk that process redesign and reengineering programs will result in management losing control of their billing, costing and accounting systems, which highlight important ICFR design considerations in areas such as revenue recognition or loss provisions. Multi-location and international operations, as well as the decentralization of operations and information systems may present further ICFR challenges. 4. Transformation. Should revenue growth level off and customers’ loyalty wane, companies will either reinvent themselves to get on a new “growth curve” or fall into a further stage of decline. Entering into new markets often requires considerable entrepreneurial skills and agility, so many larger mature organizations will accomplish their transformations through joint ventures, new investors and strategic partnership arrangements. The implications for ICFR design in these companies are significant. Transformation is much more than the re-engineering of a business process or processes. The risks must be clearly understood. ICFR must be designed to maintain management control during the transformation process, and ensure that financial reporting, including key performance metrics, is accurate and 12 D. ICFR and Stages in Business Growth Internal Control 2006: The Next Wave of Certification — Guidance for Management reliable no matter how bad the results may be. The documentation of and adherence to both new and pre-existing policies and controls may be another issue to address. 5. Decline. Companies with falling sales and profits and negative cash flow often reduce their workforces and cut programs in an attempt to restore profitability and cash flow, and alleviate the concerns of investors and analysts. These companies must balance their ICFR needs with the business’s need to cut its cost structure. Too often, though, cost cutting programs also impair the effectiveness of ICFR and reduce institutional memory and weaken the capability to produce reliable financial reporting. Key Messages • Businesses are not static, but are continually changing and evolving. ICFR must change as business changes from one growth cycle to another. • The design of ICFR that is appropriate to one growth cycle may not be effective in another. For example, the ICFR design for a large mature organization is not appropriate for a start-up; similarly, the design of ICFR in a start-up enterprise will need to change as revenue and business grow. • Understanding where the business is on the growth cycle will help CEOs, CFOs and audit committees assess risks and determine the key issues that must be addressed in ICFR design. • In larger companies, operating subsidiaries and business units may be in different stages in the growth cycle, which further complicates ICFR design. 13 D. ICFR and Stages in Business Growth E Developing an Approach for Certifying the Design of ICFR In 2006, CEOs and CFOs are required to assess the design of ICFR, but not its operating effectiveness. It is difficult to fully assess “design” without also considering “operating effectiveness.” History is full of examples of grand designs that never worked in practice (many elaborate, early concepts for man-powered flight, for example). Therefore, CEOs and CFOs must adopt an organized, disciplined and documented process for assessing the design of ICFR to support their certification. It is advisable for the audit committee to review and approve this process at the outset, since the conclusions on DC&P, including those about the design of ICFR and any material changes in ICFR during the preceding quarter, will need to be disclosed in the MD&A. Overall considerations Management should begin their approach to certification about ICFR design by developing a methodology whereby the nature, extent and timing of the steps in the process are based on principal financial reporting and disclosure risks and enable management to draw reliable conclusions about the design of ICFR. It is also useful to bear in mind the four objectives of ICFR as discussed earlier. Some factors to consider are: • The assessment should be “top down” and “risk based” to ensure that the focus is on the important financial reporting and disclosure risks and issues. • CEOs should play, and be seen to play, an active role in the process — helping set priorities and areas of focus, attending key meetings and participating in decisions about the assessment of findings and required disclosures, including those in the MD&A. The CEO’s active involvement signals to the entire organization that ICFR and the design certification are important and helps ensure that the “tone at the top” is reflected in the approach to ICFR. CEOs also bring perspective, insight and judgment to the process that help ensure that ICFR is aligned with core business processes, including risk management, the use of key performance indicators to monitor operational and financial results, and continuous improvement in business processes and IT. 15 Internal Control 2006: The Next Wave of Certification — Guidance for Management • Management should develop and document their assessment approach, which should include some level of testing (see the discussion on controls that mitigate key financial reporting risks), • Where possible, the assessment process should not be a stand alone process. It should be integrated with management’s ongoing control monitoring activities and anticipate the future need for management’s evaluation of and certification about ICFR effectiveness. • The CEO and CFO should inform the audit committee about their approach and process and involve the audit committee where appropriate, such as obtaining its comments on the proposed ICFR design certification process at the outset. Designing effective ICFR is not a mechanical process and, consequently, certifying its design cannot be performed in a mechanistic manner. The goal is to assess whether there is an appropriate mix of controls that work effectively together to achieve the objectives of ICFR set out in MI 52-109. Other important issues for CEOs and CFOs to consider as they plan their approach to assessing the design of ICFR include: Using a control framework. The CSA leave the decision to use a control framework to the CEO and CFO. There are benefits to adopting a recognized control framework, particularly when CEOs and CFOs will also have to certify on the operating effectiveness of ICFR. COSO’s 1992 Internal Control — Integrated Framework is the most commonly used framework; smaller issuers should consider COSO’s “Internal Control over Financial Reporting — Guidance for Smaller Public Companies” (June 2006). The CICA’s 1995 Guidance on Control (CoCo) provides another recognized framework of control criteria. Preventive and detective controls. There are two types of controls: those that prevent errors from occurring (e.g., accounting policies, safeguarding of assets) and those that monitor performance and detect errors that have occurred (e.g., internal audit, review of reconciliations, monitoring of financial performance against budgets). An effective ICFR should achieve a balance between preventive and detective controls. Entity wide controls and process level controls. Effective ICFR must balance preventive and detective controls at the entity level with those at the process level. 16 E. Developing an Approach for Certifying the Design of ICFR Internal Control 2006: The Next Wave of Certification — Guidance for Management Alignment with sub-certification processes. For DC&P purposes, many larger companies have established sub-certification processes, whereby the direct reports to the CEO and CFO provide formal certifications to them on the: • completeness and accuracy of the financial information pertaining to their areas of responsibility, and • effectiveness of disclosure controls and procedures. Larger organizations should consider whether this process should include sub-certifications from those business unit and finance executives who have important responsibilities in the financial reporting process. Sub-certifications by junior officers and managers are not a substitute for the CEO’s and CFO’s own diligence and knowledge, nor for ensuring that the company has effective DC&P and ICFR. However, a well designed sub-certification process that encompasses DC&P and the design of ICFR can add discipline to the financial reporting and disclosure process, positively reinforce the need for effective ICFR and help sustain a corporate culture that places a high value on accurate and timely financial reporting and disclosure. It can also form the backbone of an accountability system for financial reporting. Perhaps the most useful benefit of a well designed sub-certification process is the opportunity it provides for CEOs and CFOs to engage business unit leaders in the financial reporting process, thereby helping those leaders to better understand the importance of risk management and effective control and, in so doing, better manage their business units. To be effective, sub-certification processes should cover and be aligned with all of the issuer’s control systems and business units and should: • include a review of how the senior business and finance leaders of each business unit and “control system” satisfy themselves that the design of ICFR in their area of responsibility provides reasonable assurance of attaining the four key objectives of ICFR • be integrated with the management reporting and accountability structures through which senior management monitors performance and manages the business and financial risks • educate the people involved in the sub-certification process regarding its purpose and their responsibilities, and • support a culture of openness and trust that enables people to raise issues (e.g. potential ICFR design weaknesses) or questions without fear of criticism or reprisal. CEOs and CFOs who follow the process suggested below, and document how it was applied, will have a demonstrable, reasonable basis for providing the certifications they are required to make concerning the design of ICFR. 17 E. Developing an Approach for Certifying the Design of ICFR Internal Control 2006: The Next Wave of Certification — Guidance for Management Process for certifying the design of ICFR The following chart outlines a seven-step process that CEOs and CFOs may choose to follow for certifying the design of ICFR. The steps are discussed in detail in sections F, G and Process forH.Certifying the Design of ICFR Preparation Stage Assessment of Design Stage 1 2 3 Review Relevant Control Information Identify Relevant Control Systems and Material Account Balances Review Principal Financial Reporting and Disclosure Risks 4 5 Assess Control Environment Assess Other Entity Level Controls 6 6 6 6 6 6 6 Assess Findings, Form Conclusions and Make Disclosures E. Developing an Approach for Certifying the Design of ICFR Process Control G Process Control F Process Control E Process Control D Process Control C 18 7 Process Control B Process Control A Conclusions and Disclosure Stage F Certification Process: Preparation Stage Before they can begin assessing the design of ICFR, management should first: • review relevant control information • identify relevant controls systems and account balances, and • review principal financial reporting and disclosure risks. Preparation Stage Review Relevant Control Information 2 3 Identify Relevant Control Systems and Material Account Balances Review Principal Financial Reporting and Disclosure Risks 1. Review relevant control information The first step is to collect control information to help identify areas where design weaknesses in ICFR might exist. A survey of US companies reporting on ICFR under SOX 404 found that “indicators” of a material weakness in ICFR included: • • • • • • • restatements of previously issued financials material audit adjustments ineffective audit committee ineffective internal audit or risk assessment function ineffective regulatory compliance function fraud of any magnitude by senior management, and failure to timely correct significant deficiencies. Areas where significant deficiencies in ICFR occurred included: • • • • selection and application of accounting policies antifraud programs and controls non-routine and nonsystematic transactions, and period end financial reporting process, including journal entries. Identified in a study of SEC registrants’ public disclosures conducted by the Ives Group for Deloitte & Touche LLP. 19 Internal Control 2006: The Next Wave of Certification — Guidance for Management It is also informative to review the areas of weaknesses identified in the SOX 404 ICFR reporting (percentages represent the proportion of companies reporting the weakness): • • • • • • • tax accruals, deferrals etc. revenue recognition inventory/vendor cost of sales fixed/intangible assets leases or contingencies depreciation/amortization consolidation/Variable Interest Entities 31.8% 31.1 27.2 18.5 16.6 12.6 8.9 An analysis of these weaknesses found they related to: • material year end adjustments 52.6% • restatements of financials 49.2 • personnel issues 47.7 • segregation of duties 21.0 • IT processing, access issues 20.7 • internal audit issues 2.5 Other sources of information to consider to help identify areas that might indicate ICFR design weaknesses include: • reports by internal audit • management letters and audit committee communications provided by the external auditors • errors detected by both management and the external auditors in the financial statement preparation and closing process — irrespective of whether these errors were subsequently corrected • communications from regulators, for example concerns expressed in continuous disclosure reviews, and • communications received from employees and others, e.g. as a result of the whistle blowing process Preparation Stage Review Relevant Control Information Identify Relevant Control Systems and Material Account Balances 3 Review Principal Financial Reporting and Disclosure Risks 2. Identify relevant control “systems” and material account balances. It helps to decompose ICFR into meaningful sub-categories. These sub-categories may include the principal processing and accounting systems, including the related material account balances, to which particular process level controls apply, within the context of the control environment and other entity level controls. A typical set of accounting systems would include: • • • • • • financial statement closing and preparation process revenue recognition, receivables and receipts purchases, payables and payments payroll capital expenditures, acquisitions and disposals, and finance and treasury. From a study conducted by Audit Analytics of 629 companies that reported material weaknesses in the first year of SOX 404. The study was published in Section 404 Internal Control Material Weaknesses Dashboard — Results for the first full year of Section 404 disclosures, April, 2006 20 F. Certification Process: Preparation Stage Internal Control 2006: The Next Wave of Certification — Guidance for Management Reporting issuers are required to prepare their financial statements on a consolidated basis under the issuer’s GAAP. Therefore, the certification of DC&P and ICFR will include subsidiaries whose financial statements are included in the consolidated financial statements. Larger companies whose accounting systems vary by subsidiary will need to separately consider each subsidiary’s accounting system, where the subsidiary may be material relative to the issuer’s financial reporting. CEOs and CFOs of issuers that consolidate their financial results and MD&A with those of a subsidiary that is also a reporting issuer need to determine the level of due diligence required in respect of the consolidate subsidiary in order for them to provide the issuer’s certification.10 In smaller companies, the accounting systems to be assessed are likely to be more obvious and straight forward. Preparation Stage Review Relevant Control Information Identify Relevant Control Systems and Material Account Balances Review Principal Financial Reporting and Disclosure Risks 3. Identify major financial reporting risks ICFR should provide reasonable assurance that significant financial reporting and other financial disclosure risks are effectively controlled, and will not produce misleading accounting results or disclosures. Therefore, the next step in preparing to certify the design of ICFR is to identify the major financial reporting risks that are to be considered at each step in the assessment stage, including the final stage where findings are assessed and conclusions are formed. Boards of directors have a responsibility for the identification of the principal risks of the issuer’s business, including principal financial reporting and disclosure risks, and ensuring the implementation of appropriate systems to manage these risks.11 Entity-level management processes for identifying and addressing principal business risks should include financial reporting and disclosure risks since these can have serious adverse consequences to the issuer. Investor confidence and market reputation are sensitive to disclosure and reporting deficiencies and uncertainties. Enterprise risk management as an integrative management system can enhance management’s ability to identify, view and assess the potential impact of financial reporting and disclosure risks from a “topdown” strategic perspective, not just at the level of business processes and transaction processing. A robust process for identifying financial reporting and disclosure risks enables CEOs and CFOs to focus on the areas of greatest potential for financial reporting errors and omissions and, for each identified control “system,” assess whether the design of ICFR is likely to reduce these risks to an acceptable level. If a company does not have a robust process for identifying principal business risks, then it should consider establishing one to ensure, among other things, that its ICFR will address financial reporting risks. A significant financial reporting risk that is not adequately addressed by the issuer’s ICFR would likely constitute a design weakness. 10 Companion Policy to MI 52-109 11 CSA NP 58-201, 3.4 21 F. Certification Process: Preparation Stage Internal Control 2006: The Next Wave of Certification — Guidance for Management The bottom line is this: CEOs and CFOs need to have a reasonable, supportable and documented basis for concluding whether the controls that comprise ICFR address all major financial reporting and disclosure risks. Any such risk that is not addressed will represent a significant, even material, weakness in ICFR and, therefore, in DC&P. CEOs, CFOs and management may wish to take the following steps to assess whether the design of ICFR adequately reduces key financial reporting risks to an acceptable level: • identify the key controls that address the identified financial reporting risks • assess and form judgments as to whether these controls are likely to provide reasonable assurance for the mitigation of these risks; in making its assessment, management should consider the control related information obtained, and past experience, and • conduct a walkthrough or “test of one” for all key controls to assess whether the control has been placed into operation. Key Message • CEOs and CFOs should determine whether the principal disclosure and financial reporting risks have been identified. At the end of the design certification process, they should also determine whether those risks are adequately addressed by controls to reduce to an acceptable level their potential to prevent achievement of the four objectives of ICFR. 22 F. Certification Process: Preparation Stage G Certification Process: Assessment Stage The next steps in the process involve utilizing the information collected in the preparation stage to assess the quality of: • the overall control environment • all other entity level controls, and • relevant process level controls. Assessment of Design Stage 4. Assess the quality of the control environment Assess Control Environment Assess Other Entity Level Controls Process Control G Process Control F Process Control E Process Control D Process Control C Process Control B Process Control A Recent high-profile accounting scandals and convictions of CEOs demonstrate that effective ICFR ultimately depends on the integrity of the CEO and a culture of integrity within the organization. These are critical aspects of the control environment, often referred to as the “tone at the top.” The control environment is directly impacted by the board’s expectations for business conduct, which, in accordance with sound corporate governance principles and practices, are first shaped in the boardroom, and then communicated to the rest of the organization, thus setting the context for all other business controls, including ICFR. The following diagram illustrates the linkage of corporate governance with control and ICFR. 23 Internal Control 2006: The Next Wave of Certification — Guidance for Management A recent international review of current developments in and convergence of thinking about internal control states: The importance of the tone at the top and the culture and ethical framework throughout the organization is fully acknowledged and considered essential to the successful implementation of an internal control system.12 The CEO’s and CFO’s assessment of the control environment should also be reviewed by the audit committee and board as part of their oversight of the certification process. The five elements to consider in assessing the control environment are discussed below. Board responsibilities Recognized corporate governance principles and practices embedded in CSA guidelines and disclosure requirements emphasize the board’s role in formulating, communicating and monitoring their expectations about business conduct. These guidelines state that the board’s mandate should include a statement of responsibility for the issuer’s internal control and management information systems13. The guidelines further state that the board should satisfy itself regarding the integrity of the CEO and other executive officers, and the CEO’s and other executive officers’ efforts to create a culture of integrity throughout the organization. The “tone at the top” cannot be “designed” in the same sense as operational or financial policies and procedures. The board, the CEO and senior management can, however, put in place the fundamental principles and expectations to shape the control environment and create a culture of integrity, which is normally reinforced by the example set by the CEO and senior management. The potential for the CEO, CFO and/or controlling shareholder to override controls is also a risk that depends, to a great extent, on the control environment, particularly the objectives the board sets for the CEO and the board’s monitoring of the CEO’s performance. Code of conduct The board can communicate its expectations for corporate behaviour through a code of business conduct and ethics. The CSA calls for all boards to adopt a written code of business conduct and ethics, and to monitor compliance with the code.14 TSX-listed companies are also required to make disclosures about their adoption and monitoring of such a code.15 The failure to adopt and monitor compliance with a code of business conduct does not automatically create an ICFR “design weakness.” It does, however, in our view, create a likelihood of such a weakness, which may be mitigated by other specific procedures or actions taken by the board and senior management. 12 International Federation of Accountants Information Paper, August, 2006, Internal Controls — A Review of Current Developments, page 14 13 National Policy 58-201 Corporate Governance Guidelines, item 3.4 14 CSA NP 58-201, Corporate Governance Guidelines, items 3.8 & 3.9 15 CSA NI 58-101, Disclosure of Corporate Governance Practices, Form 58-101, item 5 24 G. Certification Process: Assessment Stage Internal Control 2006: The Next Wave of Certification — Guidance for Management Whistle-blowing policy Multilateral Instrument 52-110, Audit Committees, states that: (7)An audit committee must establish procedures for: (a)the receipt, retention and treatment of complaints received by the issuer regarding accounting, internal accounting controls, or auditing matters; and (b)the confidential, anonymous submission by employees of the issuer of concerns regarding questionable accounting or auditing matters “Whistle blowing” procedures provide audit committees and boards with information on the control environment, and the policies that help shape it. Again, failing to establish effective “whistle blowing” procedures would not automatically create a “design weakness,” but would probably create the likelihood of one, which may be mitigated by specific procedures or actions taken by the board and senior management. Compensation practices The control environment and senior management’s behaviour can be severely impacted when compensation schemes reward the wrong behaviours (e.g., motivating senior management to override ICFR in order to misstate financial results). The board, through its compensation committee, is expected to take responsibility for executive compensation, which would include ensuring that executive compensation programs support and reward behaviour consistent with the code of business conduct and ethics, and board-approved corporate goals and objectives for the CEO.16 Management’s philosophy and operating style The preceding factors contribute to the “tone at the top” which in turn has a major impact on the CEO’s and senior executives’ management philosophy and operating style, including their: • approach to taking and monitoring business risks, including those related to disclosure and financial reporting • attitudes and actions concerning financial reporting and disclosure • emphasis on meeting shorter term budget, profit, and other financial and operating goals, and • focus on longer term business development and value creation. The degree to which these factors are aligned with board-approved corporate goals, objectives and strategy influences management’s philosophy and operating style. That philosophy and operating style is the interface between the board’s expectations and the control environment, and the expectations communicated to employees about control and the conduct of business. It, therefore, has a significant influence over the effectiveness of other entity level and process level controls relevant to ICFR. The control environment has an overarching, pervasive impact on other entity level and process level controls, including ICFR. Because the CEO and the CFO are themselves key actors within and influencers of the control environ16 CSA NP 58-201, Corporate Governance Guidelines, items 3.15 – 3.17. 25 G. Certification Process: Assessment Stage Internal Control 2006: The Next Wave of Certification — Guidance for Management ment, their assessment of the control environment and culture of integrity is unavoidably subjective — and, some might suggest, questionable. This presents a challenge for the CEO and CFO in their certification of the design of ICFR, since they are in effect called upon to assess their own ethics, business conduct and “culture of integrity.” The dialogue between the CEO and CFO and the audit committee will be an important feature in reaching a balanced, objective assessment of the control environment and its effectiveness relative to the design (and later operation) of ICFR. Board influence over the control environment in venture issuers What the board of directors of a venture issuer can reasonably be expected to do in shaping the control environment and “tone at the top” and the means available to it to carry out those tasks deserve special attention. NP 58-201 sets out corporate governance guidelines applicable to all reporting issuers. However, the instrument clearly acknowledges the need to “be sensitive to the realities of the greater numbers of small companies…in the Canadian corporate landscape”, and recognizes that “corporate governance is evolving.” Further, NI 58-101, Disclosure of Corporate Governance Practices, imposes more comprehensive disclosure requirements on non-venture issuers, mirroring the content of NP 58-201, than it does on venture issuers. MI 52-110, Audit Committees, similarly acknowledges that the boardrooms and governance practices of venture issuers can be very different from those of non-venture issuers. It provides exemptions for venture issuers about audit committee composition (including independence and financial literacy) and disclosure requirements. There are, however, no exemptions for venture issuers regarding audit committee responsibilities, including the need for the audit committee to establish “whistle blower” procedures. Given these circumstances, how should the board of a venture issuer respond? Two possible scenarios can be considered. In one, the board may choose to adopt corporate governance best practices relevant to the organization’s size and stage of growth, and do its best to influence the tone at the top, provide oversight of the CEO and foster management integrity. This, in turn, will strengthen key entity level controls and the company’s general “control consciousness.” Together, these activities may compensate for possible shortcomings in process level controls, such as the segregation of duties, that may be difficult or impossible to implement in a small company. This approach might suggest less risk and higher quality of management to analysts and investors. In the second scenario, the board and audit committee may choose to focus only on complying with those governance practices contained in NI 58-101 and MI 52-110 that are directly applicable to venture issuers. As a result, the board might be less effective in setting expectations for “tone at the top” and providing oversight of the CEO, which, in turn, would be less likely to signal the importance of integrity in business conduct and disclosure. This could create a weak control environment, leaving the door open to undetected errors, undesirable business conduct, unreliable or misleading financial reporting and even management override of process level controls. This approach might indicate greater risk and lower quality of management to analysts and investors. 26 G. Certification Process: Assessment Stage Internal Control 2006: The Next Wave of Certification — Guidance for Management The CEO’s and CFO’s assessment of the control environment should be a key topic for enquiry by audit committees of both venture issuers and non-venture issuers if financial reporting risk is to be realistically assessed. Key Messages • The control environment is shaped by the expectations set by the board and the “tone at the top” established by the CEO and senior management. It has a lot to do with the integrity of the CEO, other executive officers and their commitment to ethical behaviour. • The establishment of a board approved and monitored written code of business conduct and ethics is an important feature of the control environment • Weaknesses in either the code of business and ethics or monitoring compliance with the code would create the likelihood of a material design weakness in ICFR. • Assessing the control environment’s “design” by CEOs and CFOs is more subjective than assessing the design of other entity level and process level detailed control policies and procedures. • Audit committees and boards should ensure that the CEO’s and CFO’s assessment of the control environment is consistent with the information obtained through the board’s monitoring of compliance with the code, its evaluation of performance of the CEO, CFO and other senior officers, and other mechanisms such as whistle-blowing procedures. CEOs and CFOs should be proactive in involving audit committees in the assessment of the control environment. • There are special considerations for CEOs, CFOs, audit committees and boards of venture issuers in assessing the control environment and the board’s influence on it. Assessment of Design Stage 5. Assess the design of other entity level controls Assess Control Environment Assess Other Entity Level Controls Process Control G Process Control F Process Control E Process Control D Process Control C Process Control B Process Control A The control environment is a vital entity-level control created by relevant aspects of corporate governance, the entity’s tone at the top and its culture of integrity. However, there are other important elements of control relevant to ICFR that function across the entity and impact its business process controls of all types. It is, therefore, necessary to assess whether these other entity-wide controls are designed to adequately support the achievement of ICFR objectives, with the necessary linkages among them, and an appropriate balance between them and the process level controls for each control “system.” Entity-level controls are those that pervade and span all parts of an organization and its business units and processes to support the achievement of all of the organization’s objectives — strategic, operational, reporting and compliance. CEOs and CFOs should focus on the design of the entity-level controls that are particularly relevant to external financial reporting objectives and ICFR. 27 G. Certification Process: Assessment Stage Internal Control 2006: The Next Wave of Certification — Guidance for Management Entity-level controls are overarching in nature, interdependent and should function holistically in reducing risk and achieving objectives. Linkages should exist between entity-level controls and business process controls and, therefore, the design of the latter should take into consideration the positive influence of the former. This is a question of balance. Key entity-level controls that CEOs and CFOs should consider carefully in the context of design of ICFR are the focus of the fifth step in the process for certifying the design of ICFR. These controls include: • • • • • • internal audit management information systems and performance measures human resource policies and practices (including compensation) organizational structure information technology, and upwards communication of material information. Some entity level controls will not necessarily exist in venture issuers, such as internal audit. Others will exist but at a scale appropriate to the size of the venture issuer and its stage of business growth. Each of these controls is discussed briefly below. Internal audit Does the internal audit function periodically evaluate the design and operation of process level and other entity level controls relevant to ICFR objectives? Does it follow up on recommendations to institute or improve such control features? Is it sufficiently well resourced and independent to be effective? The mandates of internal audit functions vary considerably from company to company. Smaller issuers may not even have an internal audit function or they may outsource such activities. There are three important factors to consider in assessing internal audit’s effectiveness in the design and monitoring of ICFR: • Mandate: Is internal audit’s mandate and audit plan aligned to helping achieve the objectives of ICFR or is it focused primarily on operational efficiency and effectiveness? • Reporting relationships: Does internal audit report to the CEO or sufficiently high in the organization to ensure that weaknesses in ICFR are surfaced and dealt with? Does it have direct access to and a strong working relationship with the audit committee? • Capabilities: Does internal audit have people with the requisite knowledge, experience and skills to effectively discharge their mandate? Does it have the requisite policies, procedures, tools and financial resources to operate effectively and meet its mandate? 28 G. Certification Process: Assessment Stage Internal Control 2006: The Next Wave of Certification — Guidance for Management Management information systems and performance measures What financial and operational performance reports are regularly provided to management at various levels in the organization? Does management’s review of these reports, and the actions they take in response, provide a reliable means of detecting errors or problems in underlying data and accounting systems? A valuable benchmark for assessing the reliability of periodic external financial reports is the extent to which management at all levels receive and review regular, reliable operational and financial reports and analyzes variances against targets, budgets and prior period data. What may initially appear to be “variances” may, upon closer investigation, be found to be errors in the accounting system. Non-financial management (i.e., operating, sales and administrative personnel) are well-positioned and equipped to detect and communicate deficiencies in external financial reporting. However, the culture and incentives must be conducive to such action, with suitable upward communication about significant variances and related analyses to keep the CEO and senior management sufficiently informed and equipped to detect accounting errors and possibly misstated or misleading external financial reporting. Therefore, the design of ICFR should incorporate the appropriate checks and balances that involve senior non-financial management and operating managers throughout the organization. Human resource policies and practices, including compensation Are human resource policies and practices conducive to attracting, retaining, developing and rewarding personnel for acquiring and applying the skills and attitudes necessary for to carry out their assigned responsibilities relative to the objectives of ICFR? Are the human resource policies and practices consistent with management’s philosophy and operating style? Human resource policies and practices — including those related to recruiting, job descriptions and competencies, training and career development, and performance evaluation and compensation — reflect, among other things, the CEO’s management philosophy and commitment to competence. At the entity-level, human resource policies and practices have a direct impact on the level and quality of staffing for the accounting and finance functions. The design of business process-level controls that address the knowledge and competence of financial staff is closely linked to and influenced by entity-level human resource policies and practices. 29 G. Certification Process: Assessment Stage Internal Control 2006: The Next Wave of Certification — Guidance for Management Organization structure, and assignment of authority, responsibility and accountability Are authority and responsibility assigned to positions within an organization structure conducive to the effective and efficient achievement of ICFR objectives? Are reporting relationships and accountabilities clearly established and widely understood? A company’s organization structure and its policies and procedures regarding authority, responsibility and accountability are driven by management’s decisions about strategy and the execution of strategy, and by management’s philosophy and operating style. These are important factors to consider in the design of ICFR, particularly the way in which the organization’s accounting and finance functions are organized and staffed, the extent to which authority and responsibility are delegated and the extent to which there is appropriate segregation of duties. Accountability, in practice, is more than just an aspect of structural choices and management policies and procedures. It is also influenced by the culture of integrity, tone at the top, and management philosophy and operating style. This makes it more difficult, but no less important, to consider than the other more tangible features of ICFR design. Information Technology (IT) Do the appropriate entity-wide controls exist over computer hardware, business and accounting systems and internal networks to ensure system security and data and program integrity? Are IT controls designed according to recognized methodologies and integrated within the organization’s overall control structure? IT controls need to be considered at three levels: Entity-wide; Application; and Distributed processing. Entity-wide IT controls are a key aspect of ICFR design. That is why the COSO framework was adapted by ISACA17 and its research affiliate for their Control Objectives for Information and Related Technology (COBIT),18 which provides guidance on the design and evaluation of IT controls for the purposes of financial reporting objectives and ICFR. Entity-level IT controls are distinct from application controls specific to business processes and identified control “systems.” Entity-level controls include what are often referred to as general computer controls and are important, not only for ICFR purposes related to external reporting, but also for the effectiveness of business and risk management information systems. At the entity level, a particular challenge for IT and financial professionals is for them to function effectively together in determining cost-effective control solutions that integrate financial and operational data and information needs. The advent of distributed processing, and the use of IT by personnel throughout an organization, often with internet access, presents its own set of complexity and IT-related risks, which in turn can pose risks that ICFR needs to address. 17 Formerly known as Information Systems Audit and Control Association 18 COBIT expressly aims to integrate IT controls within the COSO 1992 framework, and the more recent COSO ERM framework (2004). 30 G. Certification Process: Assessment Stage Internal Control 2006: The Next Wave of Certification — Guidance for Management Upwards communication of material information Are policies and procedures in place to ensure the upward communication of information from all business units and subsidiaries? Is the appropriate information being communicated upward to senior management so they can make timely decisions about financial disclosures and to correctly apply accounting policies and estimates? Material information relating to the financial statements, from all levels of the reporting issuer’s organization including its consolidated subsidiaries, must be made known to the CEO and CFO, particularly during the period in which the financial statements are being prepared. The upward communication of material information is a key feature of DC&P and the CEO’s and CFO’s certification of it. The CEO and CFO need to assess specifically whether policies and procedures exist to ensure that they receive timely information about material events and conditions across and at all levels of the organization. That assessment will enable the CEO and CFO to then assess whether the accounting and disclosure are complete, accurate and appropriate. The absence of such policies and procedures would prima facie represent an ICFR design weakness. Issuers that have already taken steps to implement DC&P to support their related DC&P certifications should find these steps also contribute to ICFR. Key Messages • The CEO and CFO must assess whether entity-wide controls are designed to adequately support the achievement of ICFR objectives, with the necessary linkages among them, and an appropriate balance between them and the process level controls for each control “system.” • Key entity-level controls that CEOs and CFOs should assess include: – internal audit – management information systems and performance measures – human resource policies and practices (including compensation) – organizational structure – information technology, and – upwards communication of material information. 31 G. Certification Process: Assessment Stage Internal Control 2006: The Next Wave of Certification — Guidance for Management Assessment of Design Stage 6. Assess process level controls Assess Control Environment Assess Other Entity Level Controls Process Control G Process Control F Process Control E Process Control D Process Control C Process Control B Process Control A An organization’s control structure includes controls relevant to ICFR at the level of business processes and material account balances (e.g. revenue, purchasing, payroll, asset management, inventory, period-end closing, etc.) within the company and all organizational units (e.g. divisions, subsidiaries, off-balance sheet/special purpose entities, joint-ventures etc.). There are several types of process level control particularly relevant to ICFR. The way they are applied and the design factors to be considered in applying them will likely differ depending on the organization’s size and complexity. Each type of control should be assessed for each identified control “system” and organizational unit. The key sub-elements are described below. Alignment with specific process financial reporting risks Have the principal financial reporting and disclosure risks related to the control system or organizational unit been identified? The assessment of principal business risks at the entity level should include an identification of principal disclosure and financial reporting risks. In assessing the design of ICFR, some risks must be addressed at both the entity control and process levels. For example, revenue recognition is often a financial reporting risk in technology companies where accounting standards are complex and difficult to apply. The financial reporting and disclosure risks need to be identified and aligned with each identified “control system”, organizational unit and account balance to which they are relevant. Accounting policies and estimates Are appropriate policies in place to guide the actions and judgments of those involved in the recording of transactions and the preparation of the issuer’s financial statements, including necessary accounting estimates? Well-developed accounting policies and accompanying application guidance inform the judgments of those involved in financial statement preparation, and also the work of the IT personnel who design (or select) the software for correctly recording transactions. The lack of an appropriate set of accounting policies and related guidance (manuals, etc.) would indicate the likelihood of an ICFR design weakness. Accounting estimates present a particularly important challenge for the design of ICFR. Financial statements contain many estimates. Some are made at the operational level (e.g., inventory obsolescence), others at the corporate level (e.g., in accounting for stock options). Some estimates have detailed specifications (e.g., estimates of unfunded pension obligations and health care obligations), while others have only general parameters (e.g., bad debt provisions). Accounting estimates can have a major impact on reported results. For this reason, they have often been used to manipulate earnings. Because of their potential impact on reported earnings (and the potential for manipulation), ensuring there is appropriate control over accounting estimates is an important feature of ICFR design. 32 G. Certification Process: Assessment Stage Internal Control 2006: The Next Wave of Certification — Guidance for Management The increasing complexity of accounting standards increases the challenge of making appropriate accounting estimates (and making the necessary disclosures in financial statement footnotes and MD&As). For smaller companies this can be particularly problematic if they do not have the resources necessary for such tasks. Examples of controls the CEO and CFO should address in assessing the design of ICFR with respect to accounting estimates include those to provide reasonable assurance that: • all required estimates are made in preparing the financial statements • the people involved have the requisite expertise and understand the accounting objectives (e.g., internal actuaries, who prepare valuations for funding and accounting purposes) • the financial and non financial data used in the making estimates are complete and accurate (e.g., payroll and HR data supplied to actuaries to enable them to compute pension accounting estimates) • the assumptions used in making/computing the estimate are “reasonable” and free from bias • an appropriate methodology is used in preparing/computing the estimate (some methodologies as in pensions are prescribed while other estimates depend on the judgements of management), and is properly documented to ensure consistent application over time • if specialists are used in preparing an estimate, there is appropriate oversight of the selection of the specialist and the terms of the engagement • the final estimates produced are “reasonable,” free from bias, and fairly presented in the financial statements and MD&A, and • senior management over-ride will be prevented (e.g., improper release of provisions or reserves so that reported results meet analysts’ expectations). Allocation of authority, responsibility and accountability Is there an appropriate allocation of authority, responsibility and accountability with respect to those involved in the preparation of the issuer’s financial statements and the management and control of principal financial reporting and disclosure risks? There are two specific issues for CEOs and CFOs to consider. One is the segregation of certain duties, particularly in smaller companies where staff resources are limited. The other is the effect that decentralization has on an organization, which often occurs as a result of management philosophies of empowerment and organizational flattening. A lack of an appropriate segregation of duties, such as between purchasing, inventory, payables and payments or personnel administration and payroll, can create design weaknesses that may be difficult to remedy at the business process level. In these situations, board oversight, tone at the top, a culture of integrity and other entity level controls may be the only design features available for adequate ICFR. In addition, the periodic external reviews of transactions, reconciliations and accounts by suitably qualified professionals may also be an acceptable remedy. 33 G. Certification Process: Assessment Stage Internal Control 2006: The Next Wave of Certification — Guidance for Management The segregation of duties in very small entities is often difficult since their size limits the extent to which such segregation is practicable. In a smaller public company, the CEO or controlling shareholder may be able to exercise more effective oversight than they would in a larger entity, thereby compensating for the more limited opportunities for the segregation of duties. On the other hand, the CEO or controlling shareholder may be more able to override controls because of the more informal system of internal control. Knowledge and competence of financial staff Do the people involved in the preparation of financial statements have the necessary knowledge (e.g. GAAP), skills and tools to support the preparation of financial statements and making appropriate accounting estimates? Accounting personnel’s knowledge, skills and experience, including their education and professional qualifications, should be assessed in relation to their roles and responsibilities in the finance functions at the corporate and business unit levels. Accounting personnel must have the capability of addressing the complex and technical challenges related to the issuer’s GAAP, tax compliance, accounting and provision estimates, etc. For example, an organization that prepares its financial statements in accordance with US GAAP or prepares a reconciliation between US GAAP and Canadian GAAP should have the requisite knowledge and expertise in US GAAP, or acquire it. Smaller issuers may acquire the expertise they need by retaining expert outside legal or accounting advice to respond to what would otherwise be a significant ICFR weakness. Control activities and documentation Have control activities and procedures (both manual and automated) been established, documented and communicated throughout the issuer’s organization to promote effective compliance with accounting policies, management directives and regulatory requirements affecting financial reporting? Application level IT controls are usually very important as well as complex. Management must assess the manual and computer controls needed to achieve the objectives of ICFR, including authorizations and approvals, preparation and supervision of reconciliations, reviews of performance reports, physical controls, variance analysis, etc.. SOX 404 and ICFR reporting in the U.S. has resulted in much more focus on the role of IT controls at the application level. This is likely to be valuable in Canada as the focus on design and evaluation of ICFR accelerates. Well designed IT controls offer significant potential for enhancing the effectiveness of controls in transaction processing systems and simultaneously reducing compliance costs. 34 G. Certification Process: Assessment Stage Internal Control 2006: The Next Wave of Certification — Guidance for Management Management information and key performance indicators Are results of operations as reported in financial statements based on accounting systems consistent or reconcilable with senior management’s knowledge of actual business operations and with internal management information, including key financial and non-financial performance indicators? This is both an entity level control, as applied by the CEO, CFO and other corporate executives, and a process level control as applied within control systems and business units. Just as the extent to which management at all levels receive and review regular, reliable operational and financial reports serves as a useful benchmark for assessing the reliability of periodic financial reports at the entity level, so too is the extent management at the business process level receives and reviews such reports and analyzes variances against targets, budgets and prior period data. Regular review of management reports with the CEO and CFO are valuable control features. Similarly, it is important that the culture and incentives at the business process level are conducive to non-financial management communicating upwards about significant variances and related analyses. Control monitoring and warning signals Are there appropriate control monitoring activities (e.g. internal audit) that would indicate weaknesses in the design of ICFR? Are other warning indicators of potential design weaknesses in ICFR routinely monitored, such as adjustments required in the annual closing process or the confidential, anonymous submission by employees of concerns regarding questionable accounting matters? Other warning signals include regulators’ Continuous Disclosure reviews and letters and, possibly, shareholder proposals and institutional investor enquiries. While control monitoring and assessment is often considered to be an entity level control, especially with respect to a corporate internal audit function, the importance of its application at the business process level for ICFR purposes should not be overlooked. IT vendors have powerful automated tools for monitoring controls and automatically raising alerts when pre-set error or variance conditions are detected. Key Messages • An organization’s overall control structure includes controls relevant to ICFR at the level of business processes and material account balances and at the level of organizational units. • The process level controls summarized above should be assessed for each identified control system and organizational unit. 35 G. Certification Process: Assessment Stage H Conclusions and Disclosure Stage Certification Process: Conclusions and Disclosure Stage Assess Findings, Form Conclusions and Make Disclosures The final stage in the process for preparing to certify ICFR design is for the CEO and CFO to review all the findings obtained in the preceding steps, form their conclusions about the design of ICFR, and assess the implications for disclosures in the MD&A and the ability of the CEO and CFO to sign their respective certificates. To sign their certificates, including the new certifications on the design of ICFR required in 2006, the CEO and CFO must be satisfied that: • the design of their ICFR will provide reasonable assurance of attaining the four elements of ICFR, and • there is appropriate disclosure in the MD&A of weaknesses in the design of ICFR, as well as of any changes in ICFR in the most recent quarter. A special situation exists if the CEO and CFO conclude that there is an uncorrected material weakness in design of ICFR as of the end of the reporting period, such that the first condition above would not be satisfied. This situation is discussed below under “f. Deciding on signing the certificate”. a. Review findings from assessments of ICFR design CEOs and CFOs should review their assessment of the design of ICFR at the entity level (control environment and other entity level controls) and at the process level (see matrix below). Two elements of this entity-level assessment deserve particular emphasis: • The assessment of the expectations set forth by the board and the CEO for the control environment and the culture of integrity, and • Controls over principal financial reporting and disclosure risks. Controls over principal financial reporting and disclosure risks should be viewed as “mission critical” because these risks could create serious reporting issues if they are not adequately controlled. A design weakness in ICFR with respect to controlling a principal financial reporting or disclosure risk would likely constitute a material design weakness. 37 Internal Control 2006: The Next Wave of Certification — Guidance for Management The following matrix may be used to summarize the results of assessing the process controls to the various identified control “systems” (business processes and units). In Row 1, summarize the financial reporting and disclosure risks applicable to each control “system” that has been assessed. Then, in each cell for Rows 2-7, enter management’s preliminary conclusions for the CEO’s and CFO’s consideration, using a scale such as: A.Evident weakness — there is a need to consider whether there is a significant deficiency that should be reported to the audit committee or a material weakness that should be disclosed in the MD&A. B. Possible weakness — further investigation is required to reach a final conclusion. C.No sign of weakness — the ICFR design element looks effective. Elements: Control system Control system Control system Control system A B C D 1.Identify principal financial reporting and disclosure risks 2.Accounting policies 3.Allocation of authority, responsibility and accountability 4.Knowledge and competence of financial staff 5.Control activities and documentation 6.Management information and KPIs 7.Control monitoring & warning signals Completing a matrix such as the one above makes it possible to identify any patterns of apparent systemic weaknesses or specific weakness in a particular business process or unit. The possibility of compensating entity level controls should also be considered when addressing weaknesses in process level controls. 38 H. Certification Process: Conclusions and Disclosure Stage Internal Control 2006: The Next Wave of Certification — Guidance for Management Any instance where the CEO and CFO, or those assisting them in applying the elements of ICFR design, are unable to satisfy themselves will usually indicate a potential weakness in the design of ICFR. Consideration then needs to be given to whether any compensating control exists at the entity level that would detect and correct any errors that slipped through this weakness. b. Disclosure considerations and decisions Changes will need to be made to ICFR if the CEO and CFO conclude that the design of ICFR, all or in part, does not meet the “reasonable assurance” threshold contemplated in the design certification requirements, and that the impact of a single design weakness or of a combination of weaknesses could result in a material misstatement or omission in the financial statements. Management also needs to consider whether their materiality assessments address the other three objectives of ICFR. Any changes made to ICFR to remedy material design weaknesses are to be disclosed in the MD&A at the end of the reporting period in which the changes were made.19 Following are some important factors to be considered in making disclosure decisions about ICFR weaknesses. i. Categories of ICFR design weaknesses There are three levels of disclosure for CEOs and CFOs to consider in evaluating a weakness in the design of ICFR. These are: • Type A — weaknesses that are considered to be material, and should be disclosed in the MD&A as well as to the audit committee and external auditors • Type B — weaknesses that are not considered to be material but are significant enough to be communicated to the audit committee and external auditors, and • Type C — weaknesses that are not significant from an external reporting perspective, but should be communicated to the appropriate member of management for remediation. Issuers should develop their own criteria for applying these categories in practice. These criteria should be developed in consultation with internal audit, the external auditors and the audit committee in the interests of consistency in disclosure and internal communication. When an ICFR design weakness is identified, it is necessary to evaluate its significance and decide which category it falls into. This decision involves: • deciding whether the ICFR design weakness could result in a material error in or misstatement of the financial statements, on either a qualitative or quantitative basis, and • the likelihood of such an error or misstatement actually occurring in future periods. ii. Materiality The accounting literature contains guidance in making materiality determinations from both a qualitative and quantitative perspective. Unfortunately, no Canadian guidance is available to help management evaluate the likeli19 For December 31 2006 year end annual MD&As, this will be the fourth quarter. 39 H. Certification Process: Conclusions and Disclosure Stage Internal Control 2006: The Next Wave of Certification — Guidance for Management hood of errors occurring, or what would constitute a “low” likelihood vs. a “high” likelihood. There is, however, guidance in the U.S. literature, and the following is a summary of the U.S. material for external auditors in evaluating control deficiencies, which may be useful to CEOs and CFOs in assessing the impact of deficiencies detected in ICFR design. The U.S. PCAOB20 has defined a material weakness as “a significant control deficiency, or combination of deficiencies, that results in a more than remote likelihood that a material misstatement of the annual or interim financial statements will not be prevented or detected.” All material weaknesses would need to be disclosed. In the U.S., control deficiencies that are less serious than a material weakness are required to be disclosed to the audit committee. If one or more material weaknesses exist at the company’s year end, management and the external auditor must conclude that ICFR is not effective. The U.S. test of “more than a remote likelihood” that a material misstatement will not be prevented or detected by the ICFR design weakness is a low threshold and tough standard to use in the assessment of ICFR design weaknesses. However, it needs to be considered, since it could be used by the courts in the absence of a Canadian definition or authoritative guidance. As a result, CEOs and CFOs should use their professional judgment in assessing their findings with respect to the design of ICFR and determining the appropriate disclosure in the MD&A. Any material design weakness in ICFR should, in our view, be disclosed in the MD&A since it is likely to affect the effectiveness of DC&P. We consider this to be a prudent practice that ensures relevant information is provided to investors. In the absence of a disclosure referencing a design weakness in ICFR, investors are likely to assume that the design of ICFR is effective and that there are no material weaknesses to disclose. We also point out that, if there is a restatement in a subsequent reporting period to correct financial statement errors that occurred in the current reporting period, regulators (and potential plaintiffs) will look to see whether a design weakness in ICFR was disclosed to alert the reader of the financial statements. If a design weakness was identified but not disclosed, then the burden of proof will be on the officers and directors to justify their decision not to disclose. iii. A decision tree on disclosure of material weaknesses It is necessary to consider the need for disclosure of ICFR design changes for weaknesses that are identified but not remediated before the annual financial statements are finalized. Where an ICFR design weakness is identified before the 2006 annual financial statements are finalized, an investigation should be carried out to determine whether a material error has, in fact, occurred, what adjustments need to be made to the draft 2006 financial statements, and whether a restatement is required to correct errors in prior periods (interim or annual financial statements). It would be difficult for officers or directors to demonstrate “due diligence” if identified design weaknesses in ICFR were not promptly investigated to assess their qualitative and quantitative impact. 20 Public Company Accounting Oversight Board 40 H. Certification Process: Conclusions and Disclosure Stage Internal Control 2006: The Next Wave of Certification — Guidance for Management A decision tree to help in deciding on the appropriate disclosures and possible corrections to financial statements needed in relation to ICFR changes regarding weaknesses identified (but not remediated) before the financial statements have been finalized is presented below. Chart 1 Steps in deciding if a weakness in ICFR design at year end should be disclosed. Not Likely (i.e. remote probability) Consider an identified ICFR design weakness existing at year end: Could the design weakness fail to detect or prevent a material error? Yes Do current or prior period F/S in fact contain a material error? No Disclose design weakness in MD&A and what management is doing to remedy the weakness Advise management; No disclosure required Yes Correct errors, and restate prior period F/S if necessary and disclose design weakness in MD&A and disclose what management is doing to remedy the weakness iv. Investigating the impact of ICFR design weaknesses Investigating and correcting any financial statement errors that may have occurred as a result of the ICFR design weakness failing to prevent or detect them does not eliminate the need to disclose the material ICFR design weaknesses in the annual MD&A. All material weaknesses in the design of ICFR existing at year end should be disclosed, followed by appropriate “change disclosure” in a future period when they are rectified or remediated. In our view, remediating an ICFR design weakness should require both a “design fix” and a test to determine that the new design is operating effectively in practice. As a rule of thumb, we suggest that a design fix should operate effectively for at least a quarter before it can be considered rectified, at which time the change would be disclosed in the next interim (or annual) MD&A. Management should also investigate and correct any errors that might occur as a result of the ICFR design weakness in future reporting periods until the weaknesses are remediated. For example, suppose a material weakness in the design of ICFR is detected and disclosed in the 2006 annual MD&A. Management should conduct an investigation to ensure that this weakness did not result in material errors in the 2006 financial statements before these statements are finalized and released. They should then conduct a similar investigation in the first quarter of 2007, and in subsequent quarters, until the 41 H. Certification Process: Conclusions and Disclosure Stage Internal Control 2006: The Next Wave of Certification — Guidance for Management weakness in the design of ICFR is corrected. To do otherwise could leave these officers, and the directors, exposed to legal and/or regulatory actions if there were a material error in the financial statements and they had done nothing to ensure that the financial statements were fairly presented when they were aware that a material design weakness existed in ICFR. c. Disclosure examples Some examples of material weaknesses disclosed by U.S. companies in their annual filings include: • “The company did not maintain effective controls to ensure that there was appropriate support and documentation for reimbursement of expenditures, this control deficiency resulted in a misstatement.” • “Management identified a material weakness in our accounting for income taxes. Specifically the company did not maintain sufficient resources in the corporate tax function.” • “Management had determined that a control deficiency related to revenue recognition on contracts entered into with customers constituted a material weakness.” • “Two material weaknesses related to the company’s vendor debits process and financial statement close process existed in the company’s internal control over financial reporting.” d. Deciding on disclosure of changes in ICFR Paragraph 5 of the CEO/CFO certificate21 for 2006 requires CEOs and CFOs to disclose in the MD&A any material changes in their ICFR that were made in the most recent interim reporting period – Q4 for annual MD&As. This applies to changes that have materially affected ICFR and those that are reasonably likely to do so in the future. The failure to make such disclosures would compromise the completeness of the MD&A as well as the CEO’s and CFO’s ability to certify that the filings “fairly present in all material respects the financial condition, results of operations and cash flows of the issuer.” A decision tree to help in deciding on appropriate disclosures and possible corrections to financial statements needed in relation to ICFR changes in Q4 is presented on the next page. This decision tree is based on our understanding of existing published CSA material Issuers are, of course, encouraged to follow the guidance that the CSA has indicated it is developing about disclosure of changes in ICFR in the interim period preceding the certification. 21 See Appendix 1 for full text of 2006 certification 42 H. Certification Process: Conclusions and Disclosure Stage Internal Control 2006: The Next Wave of Certification — Guidance for Management Chart 2 Steps in deciding if a Q4 change in ICFR design should be disclosed Identify changes in design of ICFR in prior quarter (Q4). For each change: Was the change in ICFR made to remedy an identified design weakness? No Investigate impact on current and prior period F/S. If material error/s caused, disclose the ICFR change in the MD&A (and correct errors and restate prior period F/S as necessary) Yes Was the change needed as a result of business factors, events or decisions that would otherwise weaken ICFR? Yes Do current or prior period F/S in fact contain a material error? Yes No No Disclosure Required Disclose change in design of ICFR in the MD&A Disclose change in ICFR in the MD&A and correct errors and restate prior period F/S as necessary e. Uncorrected material weaknesses in ICFR A situation may arise where an uncorrected material weakness in design of ICFR has been identified as of the end of the reporting period, appropriate MD&A disclosure has been made about the weakness, and appropriate steps have been taken to ensure that there is no material effect on the financial statements. Under these circumstances, it seems unlikely that the CEO and CFO would be able to certify that the design of ICFR provides reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements. This situation would, it might be argued, also prevent the CEO and CFO from signing and filing the full certificate, since the Companion Policy to MI 52-109 does not permit changes of any kind in the wording of the certificates. If a situation such as this occurs, the matter should be brought to the attention of the audit committee, and legal counsel should be consulted to determine an appropriate course of action. We believe that the CSA may not object to CEOs and CFOs signing their certificates, including the paragraph about ICFR design, if: • The weakness is fully disclosed in the MD&A, together with a formally approved remediation plan, or • The weakness is fully disclosed in the MD&A, together with a statement, including supporting rationale, that the issuer cannot remediate the weakness. In other situations, e.g. the weakness is reasonably capable of remediation but the issuer has not developed a remediation plan, the CSA may be reluctant to accept the certificate. 43 H. Certification Process: Conclusions and Disclosure Stage Internal Control 2006: The Next Wave of Certification — Guidance for Management We encourage issuers to review the staff guidance that the CSA plans to provide on disclosure regarding ICFR weaknesses, and to consult with legal counsel and the appropriate securities commission on the disclosure and certification to be provided. If the issuer is disclosing a remediation plan for an identified material weakness in ICFR, then in our view such a plan should clearly indicate the actions that need to be taken and when, and the commitment and capability to carry them out. The plan should be approved by the CFO, the CEO and the audit committee. These disclosures should continue to be provided in future periods until the audit committee is satisfied that the remediation plan has been fully implemented. It would be unwise for management and audit committees to try to rationalize why an ICFR design weakness is not really material and should not be disclosed, in order to avoid the contradiction that might arise between the disclosures in the MD&A and the wording in the required certificates. f. Issues for small companies In small companies with limited resources, certain ICFR design weaknesses (e.g., segregation of duties) may be difficult or impossible for CEOs and CFOs to rectify in a cost-effective manner. In addition to following the course of action outlined above regarding uncorrected material weaknesses, management and the audit committee may wish to consider whether there are other actions that could be taken to provide assurance to investors that these ICFR design weaknesses have not resulted in material error in the financial statements. For example, the audit committee could engage the external auditor to perform quarterly reviews of interim financial statements. If the audit committee engages the auditors to perform quarterly reviews, we recommend that this fact be disclosed in the MD&A. Additional help from the external auditors is discussed further in the next section of this publication. 44 H. Certification Process: Conclusions and Disclosure Stage Internal Control 2006: The Next Wave of Certification — Guidance for Management Key Messages • CEOs and CFOs should review the assessment of ICFR design for each control system and business unit relative to the principal financial reporting and disclosure risks. A design weakness in ICFR with respect to controlling a principal financial reporting or disclosure risk would likely constitute a material design weakness. The possibility of compensating entity level controls should be considered when addressing weaknesses in process level controls. • Materiality is a critical decision, and requires CEOs and CFOs to exercise their professional judgment. While the definition of material weaknesses in the U.S. auditing literature is not authoritative in Canada (except for inter-listed reporting issuers), it is relevant and needs to be considered. • Any material design weakness in ICFR should be disclosed in the MD&A, since it is likely to also be a design weakness in DC&P. • It is appropriate to also disclose in the MD&A a remediation plan developed by management to correct an ICFR design weakness, providing this plan has been formally approved and the capabilities are in place to implement the plan. • If a material ICFR design weakness is disclosed, but remediating the weakness is not considered to be cost effective, then it is appropriate for management to disclose the actions that have been taken (e.g., engaging the external auditors to perform reviews of the interim financial statements) to ensure that this weakness in ICFR has not contributed to material errors in the financial statements. • MI 52-109 requires that changes made to ICFR to remedy material design weaknesses be disclosed in the MD&A at the end of the reporting period in which the changes were made.22 • Disclosing an unremediated material ICFR design weakness in the MD&A presents a tough question for the CEO and CFO as to whether they should sign their certificates stating that the design of ICFR is effective. The CEO and CFO should consider the expected CSA guidance on such a situation, obtain legal advice and review their proposed course of action with the audit committee. The securities regulators should also be consulted if necessary. • Finally, in assessing the design of ICFR, management should ensure that ICFR is designed to support both internal business decision making as well as external financial reporting. In so doing, the time and effort spent in the design and assessment of ICFR will earn a return on this investment. 22 22 For December 31 2006 year end annual MD&As, this will be the fourth quarter. 45 H. Certification Process: Conclusions and Disclosure Stage I The Role of the Audit Committee and External Auditors MI 52-109 does not require audit committees, the boards of directors or the external auditors to review or approve the CEO and CFO certificates. Audit committees are, however, required to review the MD&A, which is to include the disclosure of material weaknesses for both DC&P and ICFR and changes in ICFR. As a result, we consider that directors need to become involved with the certification process in relation to ICFR, and audit committees and external auditors need to exercise their respective responsibilities regarding ICFR and related disclosures. This section summarizes, for the benefit of CEOs and CFOs, our views about the role and responsibilities of the audit committee and board of directors, the role of the external auditors and the ways in which the external auditors may help the audit committee. The responsibilities of the audit committee and board of directors MI 52-110, Audit Committees, states that audit committees must review the issuer’s financial statements, MD&A and annual and interim earnings press releases before the issuer publicly discloses this information. The board of directors is required to approve both the issuer’s financial statements and MD&A for release and filing with securities regulators. Since material weaknesses in DC&P and ICFR, along with material changes in ICFR, are required to be disclosed in the MD&A, the audit committee needs to satisfy itself that these disclosures are complete (i.e., all material weaknesses are disclosed) and fairly presented — just as it would for all other disclosures included in the MD&A. We believe directors should not just review the draft control-related disclosures, but should also understand and assess the certification process that generated these disclosures. We make this suggestion for three reasons. First, an understanding of the certification process would provide the audit committee with an opportunity to better understand the strengths and weaknesses of the control systems of the issuer, and where appropriate support from the audit committee would help to strengthen these systems. 47 Internal Control 2006: The Next Wave of Certification — Guidance for Management Second, it provides the audit committee with an understanding of the process followed by the CEO and CFO in preparing to certify the effectiveness of ICGR design, and the basis for the judgments exercised in the process and assessment of findings. Third, it should help the audit committee and directors establish a defence in the event of proceedings under Ontario’s civil liability legislation for secondary market disclosures. It is in the audit committee’s interest to satisfy itself with respect to the rigour of the CEO/CFO certification process, findings and conclusions. Simply put, a rigorous certification process conducted by the CEO and CFO should be the directors’ best friend in defending themselves against a financial reporting or disclosure related lawsuit. The audit committee can play an important role in supporting well designed ICFR, and ensuring that these controls are operating effectively. Well designed ICFR helps ensure that the audit committee and other internal users receive timely, accurate and reliable financial information on which to make decisions. The audit committee is well positioned to review and influence the design and operation of ICFR. The CFO is normally the primary management interface with the audit committee; also, the external auditors, and often the internal auditors, report to the audit committee on the results of their work. In addition, when the board approves strategic plans, the audit committee can monitor the adequacy of resources allocated for designing and sustaining effective DC&P and ICFR. The companion publication for audit committees and boards of directors provides a set of 20 questions that audit committees and boards may wish to ask of CEOs and CFOs as part of their due diligence and oversight process to assure themselves that the CEO and CFO have conducted a duly rigorous assessment of the design of ICFR. The responsibilities of the external auditor The external auditors can assist the audit committee and the board of directors in a number of ways, depending on the terms of their audit appointment and the other services they have been asked to perform. Today, the audits of Canadian public companies must be performed in accordance with either U.S. Generally Accepted Auditing Standards (GAAS) or Canadian GAAS. The external auditors of companies that are SEC registrants must comply with U.S. SOX 404 requirements and perform their audits in accordance with the auditing standards of the U.S. PCAOB , which require them to provide opinions on: • the financial statements • management’s assessment of ICFR, and • the design and operational effectiveness of ICFR. The external auditors of Canadian domestic issuers are required only to audit and report on the annual financial statements. Under Canadian standards, the auditor does not provide an opinion on the operating effectiveness of DC&P or on the design of ICFR . 48 I. The Role of the Audit Committee and External Auditors Internal Control 2006: The Next Wave of Certification — Guidance for Management Understanding the differences between these two sets of auditing standards is important, since many corporate directors will sit on the boards of both Canadian domestic issuers and SEC registrants. The following is a brief overview of the implications. Under U.S. standards for providing the ICFR related opinions, the auditors are required to obtain a much deeper understanding and knowledge of the design and operating effectiveness of ICFR, enabling them to provide information likely to be of use to the audit committee. More importantly, the audit committee and board of directors are likely to be able to rely on the auditor’s control related opinions as reports provided by an “expert.” This additional knowledge and assurance, however, comes at a price since the external auditors must significantly expand their review and testing of ICFR beyond that involved in a financial statement audit. Canadian auditing standards, on the other hand, have been developed to support an audit of the financial statements, but not to provide additional opinions or assurance on ICFR. In conducting the audit the auditor does, however, obtain some insights on aspects of the design of ICFR and its operating effectiveness. As a result, the external auditors can help audit committees understand the design of ICFR and any weaknesses they have detected in the course of their financial statement audit. The following paragraphs illustrate how the external auditor obtains knowledge about the design and operating effectiveness of ICFR. In conducting a financial statement audit, the external auditor is required under Canadian GAAS to obtain an understanding of internal control relevant to the audit. Controls relevant to a financial statement audit are those that pertain to the entity’s objective of preparing financial statements for external purposes that are fairly presented, in all material respects, in accordance with generally accepted accounting principles (GAAP) and the management of risks that may give rise to a material misstatement in those financial statements. When obtaining an understanding of internal control relevant to the audit, the auditor evaluates the design of relevant controls and determines whether these controls have been implemented. The external auditor’s objectives in obtaining this understanding are to: • identify types of potential misstatements of the financial statements • consider factors that affect the risks of material misstatement of the financial statements; and • design the nature, timing and extent of further audit procedures to be performed. If, in determining the nature, timing and extent of further audit procedures to be performed, the external auditor decides to rely on the operating effectiveness of specific controls, the external auditor is required by GAAS to test that those controls operated effectively. The nature, timing and extent of tests of the operating effectiveness of these specific controls, and the work done on the design and implementation of controls relevant to the audit, are not intended to, and do not provide an appropriate basis for the external auditor to form an opinion on the operating effectiveness of ICFR as a whole. Accordingly, the external auditor does not provide such an opinion. 49 I. The Role of the Audit Committee and External Auditors Internal Control 2006: The Next Wave of Certification — Guidance for Management Communication with the audit committee During the course of planning and performing the financial statement audit, the auditor may identify significant weaknesses in internal control relevant to the audit, management and the audit committee. To comply with GAAS, external auditors are required to communicate such weaknesses to the audit committee or its equivalent. Audit committees should, therefore, engage in an open and frank discussion with their external auditor to ensure that they understand the auditor’s views on the design of ICFR and any potential ICFR weaknesses that are of concern to the auditor. When evaluating the effectiveness of the DC&P and assessing whether the design of ICFR provides reasonable assurance regarding the reliability of financial reporting and the preparation of the financial statements, the CEO and CFO should also take into account material weaknesses in internal control communicated by the external auditor. For their part, the external auditors are associated with the MD&A and must therefore review the MD&A to ensure its consistency with the financial statements and the knowledge they have developed during the course of the audit. Should the external auditor conclude that the representations or disclosures in the MD&A are inconsistent with their knowledge (e.g., the MD&A does not disclose any weaknesses in the design of ICFR but the external auditor is aware of design weaknesses that they consider to be material) then the external auditor is required to communicate this information to the audit committee and take whatever action is necessary. Additional help from the external auditors While the auditor’s communication of material weaknesses in internal controls may provide some useful insights into ICFR, the auditor cannot provide assurance with respect to the effectiveness of ICFR through an examination of financial statements alone. Nor can work done in a financial statement audit provide the type of assurance given to audit committees and boards of interlisted companies subject to SOX 404. In order to receive such assurance, a Canadian issuer would have to engage its auditor to perform an engagement with the specific objective of providing assurance on ICFR. Such an engagement would require the auditor to perform procedures that were not included in the financial statement audit. The terms of such an engagement should be agreed between the auditor and the issuer (including approval by the audit committee) and be appropriately documented. While this alternative is likely to involve significant costs, it is probably the most effective way of minimizing the liability exposure of the issuer, its officers and directors. Whether the benefits are worth the costs involved is something for each audit committee to determine based on the issuer’s specific circumstances. Another, less costly, option is for the audit committee to engage the external auditor to perform “specified procedures” to support the audit committee’s due diligence assertion that it conducted a reasonable investigation. Such pro- 50 I. The Role of the Audit Committee and External Auditors Internal Control 2006: The Next Wave of Certification — Guidance for Management cedures might include performing tests of those controls related to principal financial reporting and disclosure risks. In such engagements the external auditor would: • agree with management and the audit committee as to the procedures to be performed • perform those procedures, and • report to management and the audit committee their findings. While “specified procedures” engagements do not provide assurance on the overall design or operating effectiveness of ICFR, they would support an assertion that the audit committee conducted a “reasonable investigation.” They would also provide objective evidence for management and the audit committee to use in determining whether the disclosure of material weaknesses in the MD&A is required or not. External auditors can also assist management with the documentation and evaluation of control procedures. However, depending on the nature and extent of procedures to be performed, such engagements could pose a threat to the auditors’ independence since it could place the auditors in a position of auditing their own work. Key Messages • MI 52-109 does not require the audit committee or board of directors to approve the CEO’s and CFO’s certificates, however they should review and approve the CEO’s and CFO’s conclusions that are disclosed in the MD&A. • While the external auditors are not required to audit the disclosures contained in the MD&A, they must review the MD&A to ensure that the ICFR related disclosures are consistent with the knowledge developed during the financial statement audit. • The audit committee should ask probing questions, and obtain relevant information and reports to satisfy itself that the certification process was thorough, rigorous and that all findings were dealt with appropriately. • If the audit committee desires more assurance from the external auditor than that provided in the audit of financial statements, they can: – engage the external auditors to expand their audit procedures to provide a report containing an opinion on the design and operating effectiveness of ICFR similar to that provided in an audit of ICFR performed in accordance with U.S. auditing standards, or – engage the external auditors to perform certain “specified procedures” with respect to ICFR and report their findings to both management and the audit committee. • Audit committees should encourage their organizations to take a “beyond compliance” approach that integrates ICFR into their business and risk management practices and helps them achieve their business objectives. 51 I. The Role of the Audit Committee and External Auditors J Readiness for the Fourth Phase of Certification The top-down, risk-based process described in this publication is intended to help CEOs and CFOs comply in a cost effective way with the CSA requirements for 2006 certifications on design of ICFR and changes in ICFR. It also provides the opportunity for CEOs and CFOs to put in place the foundation for the next phase of certification which deals with the operating effectiveness of ICFR. Performing a risk based assessment of the design of ICFR, and making the investments to remediate whatever weaknesses are identified, will strengthen internal business control and help avoid future more costly or even embarrassing surprises. Assessing the design of ICFR may also identify opportunities to strengthen governance processes, such as the way in which the board monitors the implementation of an organization’s code of business conduct and the disciplines involved in establishing and sustaining a culture of integrity. This is essential for effective ICFR and should contribute more broadly to effective corporate governance. The time and cost spent on assessing ICFR design in 2006, together with the remediation of identified weaknesses, will be an investment that should pay dividends in future periods. Developing this publication brought to light two specific issues that, unless addressed, will also affect the fourth phase of certification. We raise these issues so that regulators and the CA profession can develop the appropriate responses to help issuers implement these new requirements. The first is the situation faced by an issuer who has identified and disclosed a material weakness in ICFR at the end of 2006. CEOs and CFOs of such issuers may be unwilling to provide the required certification about design of effective ICFR, and, since they are not permitted to modify the certificate, this may mean they are not be able to provide any type of certificate at all. The CSA is aware of this problem and is expected to provide staff guidance in the near future about disclosure of ICFR design weaknesses and changes. 53 Internal Control 2006: The Next Wave of Certification — Guidance for Management The second is the lack of guidance for small companies, especially micro cap companies, with respect to ICFR. Many of these companies do not have the resources to apply GAAP or design and implement effective segregation of duties, and they often have a controlling shareholder who is the CEO. In some areas, these small/micro cap issuers have material weaknesses in ICFR while in other areas they have strong controls due to the active involvement of the CEO/controlling shareholder in the business. While there are compensating steps that issuers and their audit committees can take to ensure the reliability of financial reporting, these may be costly. There is an urgent need, in our view, for well-developed practical guidance on ICFR design, material weakness disclosure and mitigating strategies for these small/micro cap issuers; the development of such guidance was well beyond the scope of this project. The top-down, risk-based approach to assessing the design of ICFR presented in this publication will provide a solid foundation for assessing the operating effectiveness of ICFR when it is required. This guidance is, however, only a beginning; it needs to be updated and enhanced as experience is obtained. The authors and the CICA’s Risk Management and Governance Board are anxious to obtain feedback, suggestions and ideas on how this guidance can be improved. Comments and suggestions will be appreciated and should be provided to rmgb@cica.ca. 54 J. Readiness for the Fourth Phase of Certification A1 Appendix 1 Diagram illustrating the four phases of CEO/CFO certification and the annual certificate required in 2006 The CSA’s Revised Flight Plan Content Certification Control Certification Disclosure Controls (DC&P) 2004 Phase 1 Management’s Bare Certification of Financial Information (Annual and Quarterly) Phase 2 Phase 3 Phase 4 2005 Internal Controls (ICFR) 2006 2007 Management’s Bare Certification of Financial Information (Annual and Quarterly) Management’s Bare Certification of Financial Information (Annual and Quarterly) Management’s Bare Certification of Financial Information (Annual and Quarterly) Management’s Certification of Design and Evaluation of DC&P (Annual) Management’s Certification of Design (Annual and Quarterly) and Evaluation (Annual) of DC&P Management’s Certification of Design (Annual and Quarterly) and Evaluation (Annual) of DC&P Management’s Certification of Design of ICFR (Annual and Quarterly) Management’s Certification of Design of ICFR (Annual and Quarterly) Management’s Certification of Evaluation of ICFR (Annual – Earliest Date) 55 Internal Control 2006: The Next Wave of Certification — Guidance for Management Form 52-109F1 - Certification of Annual Filings I, <identify the certifying officer, the issuer, and his or her position at the issuer›, certify that: 1. I have reviewed the annual filings (as this term is defined in Multilateral Instrument 52-109 Certification of Disclosure in Issuers’ Annual and Interim Filings) of ‹identify issuer› (the issuer) for the period ending ‹state the relevant date›; 2. Based on my knowledge, the annual filings do not contain any untrue statement of a material fact or omit to state a material fact required to be stated or that is necessary to make a statement not misleading in light of the circumstances under which it was made, with respect to the period covered by the annual filings; 3. Based on my knowledge, the annual financial statements together with the other financial information included in the annual filings fairly present in all material respects the financial condition, results of operations and cash flows of the issuer, as of the date and for the periods presented in the annual filings; 4. The issuer’s other certifying officers and I are responsible for establishing and maintaining disclosure controls and procedures and internal control over financial reporting for the issuer, and we have: a. designed such disclosure controls and procedures, or caused them to be designed under our supervision, to provide reasonable assurance that material information relating to the issuer, including its consolidated subsidiaries, is made known to us by others within those entities, particularly during the period in which the annual filings are being prepared; b. designed such internal control over financial reporting, or caused it to be designed under our supervision, to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with the issuer’s GAAP; and c. evaluated the effectiveness of the issuer’s disclosure controls and procedures as of the end of the period covered by the annual filings and have caused the issuer to disclose in the annual MD&A our conclusions about the effectiveness of the disclosure controls and procedures as of the end of the period covered by the annual filings based on such evaluation; and 5. I have caused the issuer to disclose in the annual MD&A any change in the issuer’s internal control over financial reporting that occurred during the issuer’s most recent interim period that has materially affected, or is reasonably likely to materially affect, the issuer’s internal control over financial reporting. Signature Title Date 56 A1. Diagram illustrating the four phases of CEO/CFO certification and the annual certificate required in 2006 A2 Appendix 2 MI 52-109 Definitions of Disclosure Controls and Procedures and Internal Control Over Financial Reporting From CSA MI 52-109, Part 1, 1.1: 1. Disclosure Controls and Procedures (DC&P) “disclosure controls and procedures” means controls and other procedures of an issuer that are designed to provide reasonable assurance that information required to be disclosed by the issuer in its annual filings, interim filings or other reports filed or submitted by it under provincial and territorial securities legislation is recorded, processed, summarized and reported within the time periods specified in the provincial and territorial securities legislation and include, without limitation, controls and procedures designed to ensure that information required to be disclosed by an issuer in its annual filings, interim filings or other reports filed or submitted under provincial and territorial securities legislation is accumulated and communicated to the issuer’s management, including its chief executive officers and chief financial officers (or persons who perform similar functions to a chief executive officer or a chief financial officer), as appropriate to allow timely decisions regarding required disclosure;” 2. Internal Control over Financial Reporting (ICFR) “internal control over financial reporting” means a process designed by, or under the supervision of, the issuer’s chief executive officers and chief financial officers, or persons performing similar functions, and effected by the issuer’s board of directors, management and other personnel, to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with the issuer’s GAAP and includes those policies and procedures that: (a)pertain to the maintenance of records that in reasonable detail accurately and fairly reflect the transactions and dispositions of the assets of the issuer, 57 Internal Control 2006: The Next Wave of Certification — Guidance for Management (b)provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in accordance with the issuer’s GAAP, and that receipts and expenditures of the issuer are being made only in accordance with authorizations of management and directors of the issuer, and (c)provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use or disposition of the issuer’s assets that could have a material effect on the annual financial statements or interim financial statements;” 58 A2. Diagram illustrating the four phases of CEO/CFO certification and the annual certificate required in 2006 A3 Appendix 3 Where to Find More Information Securities Laws and Regulations — Canada www.osc.gov.on.ca/Regulation/Rulemaking/rrn_index.jsp Canadian Securities Administrators (CSA) — Multilateral Instrument 52-109 Certification of Disclosure in Issuers Annual and Interim Filings — Multilateral Instrument 52-109CP Companion Policy — Multilateral Instrument 52-110 Audit Committees — Multilateral Instrument 52-110CP Companion Policy — National Policy 58-201 Corporate Governance Guidelines — National Instrument 58-101 Disclosure of Corporate Governance ePractices — National Policy 51-201 Disclosure Standards — National Instrument 51-102 Continuous Disclosure Obligations — Staff Notice 52-311 Regarding Required Forms of Certificates under MI 52-109 — Staff Notice 52-313 Regarding Status of Proposed MI 52-111 and Proposed Amendments to MI 52-109 Amendments to the Securities Act (Ontario) and Regulation 1015 (as enacted in 2005 under Bill 198) Securities Laws and Regulations — United States http://www.sarbanes-oxley.com/section.php?level=1&pub_id=SarbanesOxley United States Securities and Exchange Commission (SEC) www.sec.gov 59 Internal Control 2006: The Next Wave of Certification — Guidance for Management CICA Publications www.rmgb.ca — CEO and CFO Certification: Improving Transparency and Accountability — 20 Questions Directors Should Ask about Codes of Conduct — 20 Questions Directors Should Ask about Internal Audit — 20 Questions Directors Should Ask about IT — 20 Questions Directors Should Ask about MD&A — 20 Questions Directors Should Ask about Risk 2nd edition — Risk Management: What Boards Should Expect from CFOs — Financial Aspects of Governance: What Boards Should Expect from CFOs — Integrity in the Spotlight: Audit Committees in a High Risk World — Learning about Risk: Choices, Connections and Competencies — Guidance on Control — Guidance on Assessing Control — Understanding Disclosure Controls and Procedures: Helping CEOs and CFOs Respond to the Need for Better Disclosure — Management’s Discussion and Analysis — Guidance on Preparation and Disclosure — CICA Handbook — Assurance Recommendations Other International Federation of Accountants Internal Controls — A Review of Current Developments, Information Paper, August 2006 www.ifac.org The Committee of Sponsoring Organizations of the Treadway Commission (COSO), USA Internal Control over Financial Reporting — Guidance for Smaller Public Companies, 2006 Internal Control — Integrated Framework, 1992 www.coso.org Public Company Accounting Oversight Board (PCAOB, USA) Auditing Standard No.2 Perspectives on Internal Control Reporting — A Resource for Financial Market Participants (Deloitte & Touche LLP, Ernst & Young LLP, KPMG LLP, PricewaterhouseCoopers LLP; USA, December 2004) 60 A3. Where to Find More Information Authors About the Authors James L. Goodfellow, FCA, is a partner and vice chairman of Deloitte who advises boards of directors, audit committees, corporate executives and securities regulators in Canada and internationally on corporate reporting and governance related issues. He recently co-authored the book Integrity in the Spotlight: Audit Committees in a High Risk World. He served as research director for the Joint Committee on Corporate Governance, is a past chairman of the CICA Accounting Standards Board, and has served on the CICA’s Emerging Issues Committee. He is a past chairman of the CICA Canadian Performance Reporting Board. He is a frequent speaker on issues related to financial reporting, corporate governance and audit committees. He believes strongly that the external auditor should be accountable to the board of directors and the audit committee as representatives of the shareholders, and that this repositioning of the auditor/client relationship can produce significant benefits to the effectiveness of the audit. Jim Goodfellow has served on the board of directors of Deloitte and, in the past, served as the firm’s National Director of Accounting & Auditing. He is a senior partner responsible for providing services to some of his firm’s largest clients. Alan D. Willis, CA, is an independent consultant in the fields of corporate governance, performance measurement and business reporting, with a particular focus on the linkages of these topics with sustainable development and the business value of stakeholder relations. He directed the development of CICA’s guidance on MD&A preparation and disclosure and wrote the related briefing “20 Questions Directors Should Ask About Management’s Discussion and Analysis.” He co-authored CICA’s publication “Learning about Risk: Choices, Connections and Competencies.” His first foray into the realm of corporate governance was writing a guidance booklet for audit committees and creating a documentary film about corporate directors in 1971. He observes that both would still be remarkably relevant today. 61 Internal Control 2006: The Next Wave of Certification — Guidance for Management As a member of the International Corporate Governance Network, he serves on its Non-financial Business Reporting Committee. He has worked extensively with Canadian and international initiatives to develop performance indicators and reporting guidelines relevant to corporate management of and disclosure about climate change impacts, environmental performance and corporate social responsibility. He is currently engaged in a multi-disciplinary North American project on the design of a new corporate governance model for the 21st. century. 62 About the Authors INTERNAL CONTROL 2006: THE NEXT WAVE OF CERTIFICATION Guidance for Management 277 Wellington Street West Toronto, ON Canada M5V 3H2 Tel: 416-977-0748 www.rmgb.ca