PERSONAL FINANCE
+ Return to investing
+ US real estate
+ Post-work worries
+ More...
SMEs
+ Use your assets
+ Surviving in tough times
+ How CAs can add value
+ Entering foreign markets
+ Valuing small firms
+ Expanding the biz
+ More...
IFRS AND ISA
+ IFRS and Canadian GAAP
+ New auditing standards
+ Gauging ISA adoption
+ IFRS and audit firms
+ More...
TECHNOLOGY
+ ERP and PSA survey
+ BI/CPM survey
+ CRM survey
+ More...
WORKPLACE
+ Diversity in the profession
+ CSR is worth it
+ Health and productivity
+ Preventing fraud
+ Chronological resumes
+ Expense fraud on rise
+ Gen X, Gen Y
+ Meeting time-savers
+ Bonuses still top reward
+ More...
CA STUDENTS
+ Articling in industry
+ Destination: CA
EXPERTISE
+ Global transfer pricing
+ More...
Transparency and accountability
By Christina Schoelch + Yves Nadeau
Illustration: Mike Constable
MI 52-109 means that the public reporting and disclosure process for Canadian public corporations is now improved
Regulations adopted by the Canadian Securities Administrators (CSA), specifically Multi-lateral Instrument 52-109, set standards that certifying officers of public corporations must comply with to ensure they have clearly understood and fulfilled their public disclosure responsibilities. The requirements apply to annual and interim filings as well as continuous disclosures.
This transparency and accountability standard for certifying officers encompasses several components as well as the entire public reporting and disclosure process. Besides financial reporting, the transparency requirement applies to any information capable of influencing the public’s investment decisions.
Last summer, the CSA put the finishing touches on MI 52-109, applicable in Canada for fiscal years ending on or after December 15, 2008.
For some years now, the CSA has sought to harmonize its regulations with those adopted in the US to avoid creating market difficulties and to maintain the quality of our own market system. However, the harmonization of Canadian regulations has been delayed because the US Sarbanes-Oxley Act, enacted in 2002, constitutes the core of the securities regulations Canada has tried to parallel. This delay, however, gave us a chance to watch what was happening south of the border and capitalize on our neighbours’ experience.
Certain differences from US regulations have been noted, as well as possible consequences for officers of Canadian companies. In addition, this legislation allows companies to introduce new governance practices enabling officers to address the compliance aspect of the new guidelines and also to take advantage of the new requirements to manage their companies more effectively.
One of the most striking differences vis-a-vis the US provisions is that there is no requirement for an external auditor to be involved in the internal control certification process. US authorities have required public companies to obtain an independent certificate from their auditor on the design and operation of internal control procedures of reporting issuers. The CSA has focused instead on the requirement to report in the MD&A on the operation of the internal control framework and the need to disclose any significant deficiencies in the design and operation of internal control procedures.
The CSA notes, however, that few small issuers have reported deficiencies in internal control design, even though this requirement has been in effect since 2006. Yet, control environment deficiencies typically found in small entities include segregation of duties, general IT controls, the potential for management override, and lack of resources and staff to perform controls for these entities. Is this deficiency in reporting due to a misunderstanding by corporate management of its responsibility for internal control reporting, or simply to a lack of rigour in reporting practices? This finding may prompt the CSA to review its position on the external auditor’s role in the reporting process. One of the arguments for sacrificing external auditor involvement is based on a survey of public corporations describing the high cost of compliance.
The result is increased responsibility for management, especially the reporting entity’s audit committee. The audit committee’s responsibility for approving the financial statements is already known. The MD&A is an integral component of securities commission filings that must be approved by the audit committee, which is also responsible for evaluating the operating effectiveness of internal controls and reporting any material weaknesses and remediation actions undertaken.
The CSA has also enhanced audit committee quality by requiring public companies to set up an audit committee whose members are sufficiently competent in financial reporting to evaluate the accounting policies and special considerations of the companies for which they act as audit committee members. To evaluate the quality of internal control and audit methodologies, audit committee members must take account of the substance of accounting transactions and procedures.
To this end, they can request information from management, rely on the internal auditor or launch their own special investigations. Smaller entities may wish to rely on their external auditor if they do not have an internal auditor or a general structure robust enough to meet their needs. Also, external auditors should play a minimum role to ensure their conclusions on internal control within the scope of the audit engagement are not inconsistent with management’s conclusions regarding their certification of internal control procedures. The CICA has foreseen such situations and devoted a section of its Handbook to the matter.
Some situations have required special scrutiny, particularly in the case of small companies and venture issuers. First, because it is difficult for many small companies to comply with MI 52-109, the Committee of Sponsoring Organizations (COSO) has issued a specific framework entitled COSO — Internal Control over Financial Reporting — Guidance for Smaller Public Companies. Next, under the new regulation, venture issuers are not required to include statements on disclosure controls and procedures (DC&P) or internal control over financial reporting (ICFR) in their certificates or to report in their annual and interim MD&As changes to ICFR or the signing officers’ conclusions on the effectiveness of DC&P and ICFR. These issuers are only required to file a basic certificate along with an explanation to investors of differences between the basic certificate and the full certificate to be filed by issuers other than venture issuers. Other exemptions have also been incorporated into the regulations, specifically for any proportionately consolidated entity or variable interest entity in which the issuer has an interest, or any business acquired by the issuer not more than 365 days before the issuer’s year-end.
What are the significant disclosures management is required to make? This is another dilemma for those in charge of financial reporting. This concept has been addressed in the new regulation, which refines the definition of internal control weaknesses that must be remediated to match the US definition, i.e. a weakness that gives rise to a reasonable possibility that a material misstatement will not be prevented or detected on a timely basis. In addition to material weaknesses, the new requirements specify the nature of control environment changes that are likely to modify ICFR. Business acquisitions and disposals, new financial reporting systems, reorganizations or restructurings, key management departures and hires and, above all, the existence of fraud are required disclosures. The Ontario regulations extend the concept of internal control to include anything leading to misuse of a company’s assets, more specifically fraud.
Additionally, recent turmoil in the money markets, specifically the asset-backed commercial paper (ABCP) crisis, will also complicate evaluation and reporting for public companies, which must now disclose the methods used to report the valuation of these volatile assets, and more importantly, how their company is affected by problems in their industry and how they intend to respond. The CICA recently issued an alert on corporate performance in the wake of the ABCP crisis. The alert discusses the need to report the effect of this situation on the company’s liquidity and results, operations financing, reported financial statement balances and its ability to remain a going concern.
Certification of the operating effectiveness of the internal control framework is the most significant addition to MI 52-109, especially in the current context, and the one that will require the greatest long-term effort for companies. Thus, it is imperative for companies to take this opportunity to introduce the best internal control practices. The CSA postponed the application of this provision from 2007 to 2008 to give companies time to assess their business risks and implement control mechanisms to address material financial reporting risks. Also, certification programs should specifically focus on these controls to assist management in certifying the operating effectiveness of the internal control framework.
Concurrently with the new regulations filed by the CSA on reporting the design and operating effectiveness of public company ICFR, COSO issued an exposure draft last June and a request for comments ending August 15, 2008. The exposure draft provided guidance on monitoring internal control systems in response to a widespread perception that many companies do not rely sufficiently on their internal control structure. Furthermore, these companies were often adding redundant internal control procedures for which management already had sufficient evidence of their operating effectiveness. Others were not sufficiently basing their assessment of internal control on continuous monitoring, but were performing often ineffective year-end evaluation procedures to support their conclusions on the fiscal year-end in question. Accordingly, the advisory body COSO decided to issue new guidance to compel companies to use the monitoring component of their internal control framework.
The new guidance is basically premised on management’s commitment and a concern among companies with integrating internal control monitoring into their operations. A frequent need to perform separate internal control evaluations strongly suggests that a company should focus on improving these internal control monitoring procedures and integrating the monitoring process rather than adding new controls. A baseline for the operation of controls can thus be established with a view to continuous quality improvement.
Information technology provides an interesting opportunity for tracking internal control effectiveness and quality. Monitoring done by control process owners can often be directly incorporated into a databank for purposes of reporting on the operation of controls to management. Although self-assessment of results is not a cure-all, it is a good line of defence for monitoring control operations. The internal audit will then substantiate these results based on a schedule established by management. Some companies provide financial incentives based on observed differences between the findings of control process owners and internal audit evaluations. These methods have been known to show that managers seek to report control operation as objectively as possible so that no differences are found in subsequent audits.
Information technology can also be used to automate monitoring procedures in order to save time and reduce manual work. There are many potential applications, but they usually fall under one of the following categories:
- evaluation of a system’s operating state;
- error identification and tracking;
- evaluation of data processing integrity;
- identification of information system changes.
We believe that by implementing the kind of monitoring framework proposed here and integrating it with management processes and systems, companies will achieve the twofold goal of improving internal control and business operations while reducing the cost of certifying internal control effectiveness to public company shareholders. It is management’s job to follow the new guidance for the sake of the shareholders and the company.
Christina Schoelch, CISA, is principal, risk management consulting group, with RSM Richter Chamberland in Montreal.
Yves Nadeau, CA, is audit and risk management partner with RSM Richter Chamberland in Montreal. He is also CAmagazine’s Technical editor for Assurance
