|
CEO challenge
By Jim Goodfellow & Alan
Willis
Illustration: Gérard Dubois
 In three short years, chief executive and chief financial
officers have been required to certify financial info in the name of bolstering integrity
“Since 2004, three waves
of CEO and CFO certification have washed over corporate Canada, and there are more to come. All are aimed at
restoring investor confidence in financial reporting and related controls by improving accountability and
transparency — terms seldom heard during the ’90s, a time of heady growth, but which, since 2001, have
resurfaced as key business, governance and disclosure principles.
Certification was introduced to Canada in 2004 when the Canadian Securities Administrators (CSA) required
the CEO and CFO of a reporting issuer to certify the financial information in quarterly and annual filings.
In 2005, that was expanded to include certification about
disclosure controls and procedures. Last year, the third wave arrived. It requires certifying officers of
TSX and TSX-V issuers to file the full annual certificate for financial years ending on or after June 30,
2006 — which, for many reporting issuers, means the calendar year ended December 31, 2006.
The full annual certificate in CSA Multilateral Instrument 52-109 expands the certification to require
CEOs and CFOs to state they have “designed such internal control over financial reporting, or caused it to be
designed under our supervision, to provide reasonable assurance regarding the reliability of financial
reporting and the preparation of financial statements for external purposes in accordance with the issuer’s
GAAP.”
In addition, they are required to certify that the annual Management’s Discussion and Analysis (MD&A)
discloses any changes in internal control over financial reporting (ICFR) that occurred in the latest interim
reporting period that have materially affected, or could materially affect, the ICFR.
This third wave of certification applies only to the design of ICFR, not its operating effectiveness. That
will be introduced in a fourth wave of certification, yet to come.
In March 2006, CSA Notice 52-313 announced that the CEO and CFO certificates of TSX and TSX-V issuers will
be expanded to include certification of the effectiveness of the issuer’s ICFR as of the end of the financial
year and certification that the certifiers have “caused the issuer to disclose in the annual MD&A [their]
conclusions about the effectiveness of internal control over financial reporting.” The CSA’s proposed rules
for this fourth wave of certification were to be released by the end of 2006. (At press time they had yet to
be published.)
As the certifications for Canadian reporting issuers continue to unfold, they will take a direction
different from certification rules in the US. Unlike Securities Exchange Commission registrants, issuers in
Canada will not, according to CSA Notice 52-313, be required to provide a separate management report on ICFR,
nor will they have to obtain their auditor’s opinion from an internal control audit or an opinion on
man-agement’s assessment of the effectiveness of ICFR.
Readers may wish to review the CSA’s proposals in addition to the discussion here, which focuses on
helping CEOs and CFOs, their management teams and their audit committees finalize the assessment of ICFR
design and the disclosures needed in their annual MD&A to meet the certification requirements from June
2006 onward.
The top-down, risk-based approach
The current requirement to assess the design of ICFR creates a challenge. In effect, it requires
certifying that ICFR exists on paper, without requiring testing as to whether it actually works in practice,
especially during any particular reporting period. Therefore CEOs and CFOs need an organized, disciplined and
documented process for assessing and documenting their conclusions concerning the design of ICFR in order to
support their certification and MD&A disclosures.
The September 2006 CICA publication Internal Control 2006: The Next Wave of Certification provides a
straightforward, business-focused, top-down and risk-based approach for CEOs and CFOs to follow in assessing
and certifying the design of ICFR. This approach will also help companies prepare for the future evaluation
of the effectiveness of ICFR.
To be effective and efficient, a top-down, risk-based approach requires at least two things. First, there
must be a focus on the tone at the top, that is, the interaction between the board of directors and the CEO
in establishing the control environment and the culture of integrity. Second, there must be a sound process
for identifying principal business risks, including financial reporting and disclosure risks. The
effectiveness of a top-down, risk-based approach to assessing ICFR design is consistent with findings
reported in the August 2006 paper Internal Controls — A Review of Recent Developments issued by the
International Federation of Accountants. This notes a convergence of thinking over the past two years in
various countries’ and bodies’ pronouncements about internal control, emphasizing the importance of the tone
at the top and a focus on risk as the essential features of internal control.
Further, companies should view their assessment of ICFR as a business improvement opportunity, not just a
regulatory com-pliance task. The assessment of ICFR presents management, boards of directors and audit
committees with the opportunity to reassess what ICFR is intended to achieve: control over financial
reporting and disclosure risks. Companies should design and implement ICFR to achieve their business
objectives as well as satisfying their external reporting obligations. After all, without effective ICFR, how
can senior management and boards of directors be certain that decisions taken on the basis of internal
financial information are being made on a sound basis?
The International Federation of Accoun-tants paper stated an interesting finding from a recent UK review
of its internal control code: “It was felt that those companies that viewed internal control as sound
business practice were more likely to have embedded it into their normal business processes, and more likely
to feel that they had benefited as a result, than those that viewed it primarily as a compliance
exercise.”
In summary, the tone at the top and the control environment, a focus on risk, the extent of active CEO
involvement and appropriate board oversight are critical elements of ICFR. A top-down, risk-based approach is
also likely to be more practical than the approach taken to date in the US for satisfying Section 404 of the
Sarbanes-Oxley Act.
Accountability and transparency
The CSA’s certification regulations are basedon two fundamental principles: accountability and
transparency. The accountability principle is achieved through separate and personal certifications from the
CEO and the CFO.
The transparency principle is applied at four levels. The first, the content level, refers to the degree
to which the information in the filings enables readers to reliably assess and interpret the financial
condition, results of operations and cash flows of the issuer. The second level, a process level, refers to
the reliability of disclosure controls and procedures (DC&P), and disclosures of any material weakness in
them. Now, the third level — also of process — has been added to address the design of ICFR and include
disclosures about changes in ICFR. In future, as a fourth level, there will have to be disclosures arising
from management’s conclusions from their evaluation of the effectiveness of ICFR.
Unfortunately, many issuers seem to have missed the messages about transparency and accountability, which
are embedded in the CSA disclosure requirements. The certification requirements about DC&P call for CEOs
and CFOs to state that they have caused the issuer to disclose in the annual MD&A their conclusions about
the ef-fectiveness of the DC&P as of the end of the period covered by the annual filings.
However, based on a sample of 286 issuers selected from across the country, the CSA found, according to
CSA Staff Notice 52-315 in September 2006, that: “Approximately 28% of issuers in our sample, however, failed
to include this disclosure in their annual MD&A. This widespread noncompliance with such a clear and
basic requirement shows that many issuers are not paying adequate attention to their disclosure obligations.
We are particularly concerned by the failure to include the disclosure regarding disclosure controls and
procedures in the annual MD&A given that, in most cases, the certifying officers specifically represented
in their certificates that they had caused the issuer to include this disclosure in the annual
MD&A.”
Clearly, this disclosure requirement has hit the CSA’s radar screen, and it will undoubtedly continue
monitoring compliance with it.
What is less clear is whether the CSA will expand its focus to assess the level of effort CEOs and CFOs
are putting into their assessment of DC&P, or to assess wheth-er any material weaknesses exist in it.
Per-haps it will take challenges and decisions in the courts under civil liability to ultimately clarify the
expectations and consequences concerning the judgments made in the process of the evaluations and related
personal certifications.
Materiality
Materiality in relation to a design weakness should be based on the extent to which it would
increase the risk that errors that could mislead investors would be made or not be detected in the issuer’s
published financial statements prepared in accordance with the issuer’s GAAP.
The accounting literature contains guidance in making materiality determinations from both qualitative and
quantitative perspectives. Unfortunately, little Canadian guidance is available to help management evaluate
the likelihood of errors occurring, or what would constitute a low versus high likelihood. Current US
guidance — Rule 2 of the US Public Company Accounting Oversight Board — defines a material weakness as “a
significant control deficiency, or combination of deficiencies, that results in a more than remote likelihood
that a material misstatement of the annual or interim financial statements will not be prevented or
detected.” The bottom line is CEOs and CFOs must use their professional judgment in assessing their findings
with respect to the design of ICFR and determining the appropriate disclosure in the MD&A.
Three levels of disclosure may be considered in evaluating a weakness in the design of ICFR:
- Type A — weaknesses considered material, which should be disclosed in the MD&A as well as to the
audit committee and external auditors
- Type B — weaknesses not considered material but significant enough to be communicated to the audit
committee and external auditors, and
- Type C — weaknesses that are not significant from an external reporting perspective but should be
communicated to the appropriate member of management for remediation.
CEOs and CFOs should develop, in consultation with internal auditors, external auditors and the audit
committee, their own criteria for applying these categories in practice.
Disclosure in the MD&A
The CSA Staff Notice 52-316 in September 2006 has made it clear that the CEO’s and CFO’s individual
conclusions about the effectiveness of the DC&P should include the disclosure of identified weaknesses in
ICFR:
“Given the substantial overlap between the definitions of DC&P and ICFR, it is our view that the
certifying officers therefore should cause the issuer to disclose in the annual MD&A the nature of any
weakness [this is taken to mean any weakness that would cause the certifying officers to doubt whether the
design of ICFR provides reasonable assurance regarding the reliability of the financial statements and
whether they are in accordance with the issuer’s GAAP] in the design of the issuer’s ICFR, the risks
associated with the weakness and the issuer’s plan, if any, to remediate the weakness. If no such plan
exists, theissuer should consider disclosing its reasons for not planning to remediate the weakness.”
As a matter of prudence, management should also investigate and correct any financial statement errors
that may have occurred as a result of the ICFR design weakness in the current reporting period and in future
reporting periods until the weakness is remediated.
For example, suppose a material weakness in the design of ICFR is detected and disclosed in the 2006
annual MD&A. Management should conduct an investigation to ensure this weakness did not re-sult in
material errors in the 2006 financial statements before these statements are finalized and released. Then
they should conduct a similar investigation in the first quarter of 2007, and in subsequent quarters, until
the ICFR design weakness is corrected. To do otherwise could leave the CEO, CFO and the company’s directors
exposed to legal and/or regulatory actions if there were a material error in the financial statements and
they had done nothing to ensure the financial statements were fairly presented when they were aware that a
material design weakness existed in ICFR.
The chart “Deciding disclosure,” page 36, may be helpful to CEOs and CFOs in deciding about MD&A
disclosures of weaknesses in ICFR design.
The CEO/CFO certificate for 2006 also requires CEOs and CFOs to disclose in the MD&A any
material changes in their ICFR that were made in the most recent interim reporting period (e.g., fourth
quarter for annual MD&As). This applies to changesthat have materially affected ICFR and those that are
reasonably likely to do so in the future.
The chart “Q4 change disclosure,” page 38, may be helpful in deciding about disclosures of fourth-quarter
changes in ICFR design.
Signing certificates when material ICFR weaknesses exist
CEOs and CFOs will face a dilemma when they come to sign their certificates in situations where:
- an uncorrected material weakness in the design of ICFR has been identified as of the end of the reporting
period,
- appropriate MD&A disclosure has been made about the weakness, and
- appropriate steps have been taken to ensure the weakness has had no material effect on the financial
statements.
The wording of the required certification cannot be altered or amended and the certificate explicitly
states that the CEO and CFO “have designed ICFR to provide reasonable assurance regarding the reliability of
financial reporting and the preparation of financial statements for external purposes in accordance with the
issuer’s GAAP.” However, the disclosure of an ICFR design weakness in the MD&A suggests that reasonable
assurance as to the reliability of financial reporting does not exist. Faced with such a dilemma, what are
CEOs and CFOs to do?
The September 2006 CSA Staff Notice 52-316 stated, “In our view, the certifying officers can certify the
design of the issuer’s ICFR if the issuer’s disclosure about the identified weakness presents an accurate and
complete picture of the condition of the design of the issuer’s ICFR.”
In such a situation, CEOs and CFOs are advised to bring the matter to the attention of the audit committee
and consult legal counsel to determine an appropriate course of action.
If the issuer is disclosing a remediation plan for an identified material weakness in ICFR, it would be
wise for that plan to clearly indicate what actions will be taken and when, as well as the commitment and
capability to carry them out. Further, the plan should be approved by the CFO, the CEO and the audit
committee and the disclosures should be continued until the audit committee is satisfied that the remediation
plan has been fully implemented.
Management and audit committees are advised not to try to rationalize why an ICFR design weakness is not
material and therefore does not need to be disclosed, in order to avoid the contradiction that might
otherwise appear to arise between the disclosures in the MD&A and the wording in the required
certificates.
Implications for smaller issuers
Small companies with limited resources may have certain ICFR design weaknesses (e.g., segregation of
duties) that are difficult or wholly unreasonable to rectify. Because of this, many small companies may need
to conclude that their ICFR is ineffective. They will, therefore, have to disclose the material weaknesses in
ICFR in the MD&A and also, by consequence, have to report in the MD&A that their disclosure controls
are ineffective.
As noted above, the CSA’s Staff Notice 52-316 indicated in September 2006 that issuers should “disclose in
the annual MD&A the nature of any weakness in the design of the issuer’s ICFR, the risks associated with
the weakness and the issuer’s plan, if any, to remediate the weakness. If no such plan exists, the issuer
should consider disclosing the reasons for not planning to remediate the weakness.”
There are, however, actions that management and the audit committee may wish to consider that are less
costly than re-mediating the ICFR design weakness, in order to provide investors with assurance that the ICFR
design weaknesses have not resulted in material error in the financial statements. For example, the audit
committee could engage the external auditor to perform quarterly reviews of interim financial statements. If
the audit committee engages auditors to perform quarterly reviews, this fact should be disclosed in the
MD&A.
Conclusion
The requirement to certify the design of ICFR cannot be avoided. Management can, however, carry out
its ICFR design assessment process in a way that ensures ICFR supports both internal business decision-making
and the reliability of external financial reporting. By taking such an approach, the time and effort spent in
ICFR design and a top-down, risk-based assessment will be more likely to earn a return on the investment
made. It may also help to support a due diligence defence by management and the board, should one ever be
required. Finally, the actions taken and lessons learned now in assessing the design of ICFR will be of value
in future when CEOs and CFOs face the fourth wave of certification — the annual evaluation of ICFR operating
effectiveness.
Jim Goodfellow, FCA,
is chair of the CICA’s Canadian Performance Reporting InitiativeBoard and partner at Deloitte & Touche
LLP
Alan Willis, CA, is an independent consultant in corporate governance, performance measurement and
performance reporting. He coauthored with Jim Goodfellow CICA’s September 2006 guidance for management and
directors, Internal Control 2006: The Next Wave of Certification
|
