News from the profession    
 
   
 

News from the profession

A summary of current CICA projects and initiatives

Two guides on International Control Certification

In 2006, CEOs and CFOs of public companies are required, for the first time, to certify that they have designed internal control over financial reporting (ICFR). CSA’s MI 52-109 sets out the requirement to certify but leaves companies to determine for themselves the right approach for their business. The CICA has taken a leadership role to fill this critical gap by providing CEOs and CFOs a commonsense, practical guide that not only positions them to meet their 2006 needs and prepare for 2007 but also sets out best practices that can add long-term value to businesses.

Canadian companies that are SEC registrants, which already must comply with US Sarbanes-Oxley 404 requirements, may use their US certificates to satisfy Canadian requirements. Most other Canadian companies, however, will find that certifying the design of ICFR is no small task. Material changes in the company’s ICFR that occurred during the most recent interim period also have to be disclosed in the Management’s Discussion & Analysis (MD&A). A final phase of certification, to become effective for 2007 at the earliest, is expected to require disclosure about a management (but not auditor) evaluation of the effectiveness of ICFR.

This year, however, CEOs and CFOs are required to assess only the design of ICFR — not its operating effectiveness. This creates a challenge because it is like certifying that ICFR exists on paper, without ensuring that it also works in practice. Therefore, CEOs and CFOs need an organized, disciplined and documented process for assessing the design of ICFR in order to support this year’s certification.

The new CICA publications, Internal Control 2006: The Next Wave of Certification, Guidance for Management and the companion guide Guidance for Directors, provide a straightforward approach that CEOs, CFOs, audit committees and boards of directors may follow on the certification of the design of ICFR. Apart from its practical usefulness, the document aligns with global standards and codes for internal control as recently surveyed by the International Federation of Accountants. It will also help companies prepare for the next phase — the evaluation of the effectiveness of ICFR.

A key feature of the process proposed for Canadian companies is that the assessment of ICFR should be top down and risk based to ensure a focus on important financial reporting and disclosure risks. The tone at the top, CEO active involvement and the control environment — board involvement, in other words — are considered essential elements of ICFR. This top-down, risk-based approach contrasts with the very detailed transaction-level approach widely taken in the US for SOX 404 purposes.

Other important features of the process include:

  • The assessment should be integrated, wherever possible, with management’s control monitoring activities and should include at least some limited level of testing.
  • The process should be based on (but necessarily tied to) a recognized control framework, such as COSO’s 1992 Internal Control — Integrated Framework.
  • ICFR is a subset of Disclosure Controls and Procedures: a weakness in one is a weakness in the other, and should be disclosed accordingly.

To assist audit committees and boards, the Internal Control 2006: Guidance for Directors includes 20 questions that audit committees may want to ask CEOs and CFOs about their certifications of ICFR and the underlying process they carried out to support the certifications. Suggestions are also offered as to ways in which a company’s external auditors may be able to assist audit committees.

These new CICA publications are expected to be welcomed by CEOs, CFOs and audit committees, who have limited time to meet the 2006 ICFR certification requirements. Smaller firms with limited resources and infrastructure for financial reporting are those particularly likely to appreciate and use the publications.

Since 2004, the CICA has published two other documents to support CEOs and CFOs in understanding the new requirements and in meeting their accountabilities at each phase of implementation of MI 52-109. The publications also support boards and audit committees in understanding implications relating to their governance role. The documents include:

  • CEO and CFO Certification — Improving Transparency and Accountability (2004), and
  • Understanding Disclosure Controls and Procedures — Helping CEOs and CFOs Respond to the Need for Better Disclosure (2005).

CICA’s publications on internal control have advanced financial reporting and internal controls in a way that fosters principles of good governance and business management. The two latest publications further demonstrate CICA’s ongoing leadership in the development of practical guidance on reporting and controls that help business leaders enhance the competitiveness of their corporations and the integrity of their financial reporting.

Copies of Internal Control 2006: The Next Wave of Certification can be downloaded free-of-charge from the CICA website at http://www.cica.ca/index.cfm/ci_id/33684/la_id/1.htm. Comments or queries can be sent to rmgb@cica.ca