Learning from SOX: Canadian regulators prepare to introduce a kinder, gentler internal controls instrument.It has been more than a year now since organizations south of the border, and those listed on U.S. exchanges, began implementation of the Sarbanes-Oxley Act (SOX). The greatest challenge in the process appears to have been the implementation of internal control reporting provisions outlined in Section 404 of the act. Concern over this section led to a Securities and Exchange Commission (SEC)-hosted roundtable on the topic in April of this year, and a congressional hearing on April 21st. As the Canadian Securities Administrators (CSA), other than British Columbia, prepare to introduce Multilateral Instrument 52-111 Reporting on Internal Control over Financial Reporting, it's worth considering how Canada's rules will measure up. From initial reports, it appears that we'll fare much better. [ILLUSTRATION OMITTED] Correcting the cost/benefit balance Consensus from the SEC's roundtable suggested that, although the concept of Section 404 is valid, the cost/benefit ratio has been out of whack. Many of those involved in the discussions believed year one compliance and auditing costs were too high and should be reduced in the future. The high costs were at least partly due to the lack of documentation and the fact that there was a lot of deferred maintenance to be managed. Organizations and their auditors were also on a steep learning curve, which was affected by the timing of the release of the Public Company Accounting Oversight Board's (PCAOB) Auditing Standard No. 2, other guidance materials released by the accounting firms, and the compliance deadline. The guidance provided by accounting firms also varied widely. As Darren Jones, CMA, associate director of technology risk at Protiviti notes, "the rules came into force fast and furious. The guidance from accounting firms was imprecise until November 2004, so companies didn't have much time to test, remediate and demonstrate their compliance processes. This may have led to some overspending on consulting. Auditors guidance also varied from firm to firm--each asked for different levels of documentation, some provided detailed guidance, some provided very little." In his testimony to U.S. Congress, former SEC Chairman William Donaldson noted that companies had spent a lot of time and money on SOX, particularly Section 404. "Even companies that started with a sound system of controls have faced the task of documenting and comparing them against an objective benchmark," he accepted. "This is a complex undertaking for a small company, and exponentially more so for a firm with multiple lines of business, thousands of employees and global operations." Donaldson and others see some of these costs as short-term--in other words, once the systems are in place, maintaining them won't be nearly as expensive. They will also create improved corporate structures and more reliable financial reporting. "Calls to roll back or weaken Sarbanes-Oxley generally as a result of concern over the costs of internal control reporting are, in my judgment, unjustified," he concluded. Still, he did accept that the SEC and PCAOB had to accept that some recalibration and adjustment might be necessary to avoid unnecessary costs. Efficiency and effectiveness are clearly still on the agenda. The goal and challenge for reporters in the U.S. will be getting the right guidance, and Jones says this has started to work itself out. "All of the people at our firm involved in SOX compliance discuss the issues we are encountering weekly," he says. "With more feedback from the field, firms are coalescing in their reporting expectations." Market confidence There are, of course, other challenges. Audit firms noted that due to time constraints, it wasn't possible for them to integrate the audits on internal control over financial reporting and the financial statements. The need for best practices, not surprisingly, is an issue as well. Many noted that there was significant variability in practice, and that best practice examples and case studies would help improve consistency. Several commenters suggested that further dialogue among companies, auditors and the regulators was necessary to develop best practices. Companies, auditors and other report users are also requesting clarification for the definition of the "more than inconsequential" threshold, and how material weaknesses should be assessed, aggregated and classified. Users want more uniformity in the disclosures of material weaknesses so they can evaluate their impact. This is an important point. As Jones notes, "if one firm has a history of more detailed auditing, will some firms get graded tougher?" This is certainly a risk but with more discussion of best practices and defining parameters, the hope is that this will be cleared up. But there appears to be no debate of the fact that SOX is here to stay. Likewise, in Canada internal control reporting rules are going to change the regulatory landscape for good. As John Carchrae, chief accountant of the Ontario Securities Commission, said at a recent presentation on the new Instrument, the new rules are essential to "ensure confidence in the markets, to protect our international reputation. "We can't afford to be complacent," he stressed. "We have had our own significant financial accounting failures, and the problems that have occurred south of the border are indicative of what we have faced or could face if we are not diligent." Carchrae noted that, whether SOX was implemented in haste or not, and though it has been seen as drastic in many areas, given the speed with which it was introduced, it is fairly good legislation. "It's not perfect but it addresses the key issues," he said. "We concluded that if we did not act, there would be a spillover effect and a loss of confidence in the Canadian market," Carchrae continued. Had that happened, Ontario and the rest of Canada could have seen their fortunes dip in world markets. The importance of creating confidence in the investing community is paramount, and the new internal control instrument is an important part of that endeavour. "Strong internal controls create better discipline and promote a culture in which strong internal controls are valued. Absent effective controls, it's hard to deliver information efficiently." After careful deliberations, the Canadian Securities Administrators decided to basically mirror the SEC rules. Carchrae characterized the new Canadian rules as less prescriptive than the U.S. approach, but the main difference really appears to be the reach of the legislation, and the implementation timetable. Canadian rules The proposed internal control instrument, which the members of the Canadian Securities Administrators (except for B.C.) hope to implement shortly, will require that the management team of certain Canadian issuers evaluate, under the guidance of the CEO and CFO, the effectiveness of internal control over financial reporting. The instrument also requires that the auditors report on management's internal control assessment based on CICA standards. The internal control report must identify the control framework used by management to evaluate the effectiveness of internal control measures. It must also include an assessment of the effectiveness of the measures, and disclosure of any material weaknesses identified by management. Disclosure has to be made of any limitations management may have faced in the assessment of internal control effectiveness raised by a joint venture or a variable interest entity in which the company has a material interest, or a business that was acquired during the financial year. The issuer's board of directors must approve management's report before it is filed. According to the proposed instrument, internal control over financial reporting means a process designed by, or under the supervision of the CEO and CFO, effected by the board of directors, management and other personnel, to provide reasonable assurance of the reliability of financial reports and their preparation for external purposes in accordance with Generally Accepted Accounting Principles (GAAP). The proposed instrument requires that management base its evaluation of the effectiveness of internal control over financial reporting on a suitable control framework. The companion policy to the proposed instrument specifically identifies a few existing frameworks that satisfy its criteria for effective control design. These include Risk Management and Governance/Guidance on Control, published by CICA's Criteria of Control Board (CoCo) and Internal Control--Integrated Framework, published by The Committee of Sponsoring Organizations of the Treadway Commission (commonly referred to as COSO). COSO has been used almost exclusively as the framework for compliance with SOX Section 404 in the U.S. and among Canadian SEC registrants. Scope The Instrument doesn't prescribe the scope of the evaluation of internal control of financial reports; the CSA believes that this should be left for management's judgement. The reasoning is that all issuers will have different requirements, depending on their size, nature of business and complexity of operations. According to the companion policy, controls subject to assessment should include (but are not limited to): * Controls over initiating, authorizing, recording, processing, and reporting significant accounts and disclosures and related assertions included in the financial statements; * Antifraud programs and controls; * Controls, including information technology general controls, on which other controls are dependent; * Controls related to the selection and application of appropriate accounting policies, in accordance with GAAP; * Controls over the period-end financial reporting process; and * Controls that have a pervasive effect, such as the assignment of authority and responsibility, consistent policies and procedures, and entity-wide programs that apply to all locations and business units. These controls are essentially the same as those introduced by SOX Section 404. Companies will be required to provide evidence that supports their assessment claims. This will require a list of controls designed to: prevent or detect fraud; safeguard assets; monitor period-end financial reporting and processes; explain how transactions are initiated, authorized, recorded, processed and reported; explain the flow of transactions to identify points where material misstatements due to error or fraud might occur; and more. Regardless of the scope management decides to use in its endeavours to produce a proper report, it must be able to reproduce any required information within a reasonable amount of time. The instrument applies to all reporting issuers except investment funds and venture issuers. This is slightly different from the rules for Multilateral Instrument 52-109 Certification of Disclosure in Issuers' Annual and Interim Filings (also under revision), which applies to all reporting issuers other than investment funds. A venture issuer is defined as an issuer not listed or quoted on any of the Toronto Stock Exchange, American Stock Exchange, NASDAQ National Market, NASDAQ SmallCap Market, Pacific Exchange or a marketplace outside of Canada or the U.S. The introduction of internal control reports and internal control audit reports are to be phased in over four years, starting with financial years ended on or after June 30, 2006. The implementation dates are as follows: * Issuers with a market capitalization greater than $500 million -- June 30, 2006 * Issuers with a market capitalization of $250 million or more but less that $500 million -- June 30, 2007 * Issuers with a market capitalization of $75 million or more but less than $250 million -- June 30, 2008 * Issuers with a market capitalization of less than $75 million -- June 30, 2009 Market capitalization is defined, briefly, as the total number of listed equity securities of the class outstanding on June 30, 2005, multiplied by the weighted average of the market price for the listed equity securities for each of the 20 trading days immediately following June 30, 2005. Strategic alignment The securities administrators hope that the phased in approach to these regulations will provide issuers sufficient time to prepare for reporting changes, avoiding the many problems experienced with SOX compliance in the U.S. Of course, it's important for organizations to have a plan in place to make this happen. There is no question that the initial expense of the new regulations may be high for some companies as they create a more rigorous, disciplined disclosure and financial reporting regime. But once in place, such a system should be sustainable and more cost-effective. The important point is that work start as soon as possible. Darren Jones notes that many U.S. firms underestimated the time and resources necessary in the first year, and this was a problem for them. A carefully designed approach makes all the difference. Make sure you have what's necessary. Leadership A champion for this change initiative is essential, and should be either the CEO or CFO--a senior executive who can provide direction to the project team and communicate the project to the rest of the organization effectively. The complete project team, their roles and responsibilities, should also be clearly established. A clear understanding of the resources available, both internal and external, should be noted. Plans Setting up objectives, a critical path, key indicators, milestones and checkpoints are important and should take into account the need for the auditor to have plenty of time to review material as well. Allow for enough lead time prior to the deadline agreed to with your auditor to get the material collated. Implementation = communication Throughout the implementation, communication among management and internal and external auditors is critical. A clear understanding of the parameters in which you are working has to be established among all involved. This means identifying the control units to be assessed, the documentation and assessment methods, the control framework, and the internal and external communications plans. Jones notes that, currently, he is seeing a lot of focus being placed, necessarily, on basic entity level controls. "Companies are flushing out the inconsistencies as a first step," he says. "They are looking at their strategic business planning, ethics policies, their code of conduct, making sure that these are all clearly defined. We're seeing more interaction among committees that run businesses, and they're working out precisely how the decision framework in their organizations actually works--how this framework fits into day-to-day operations. It's all about the tone at the top, how it works and the entity-level issues at play from the start. Through the process, management is getting a better idea of how the company as a whole operates." Due to feedback they have received, the regulators in Manitoba and Alberta still have reservations about the implementation of this particular instrument but it's clear that, in some form, Canadian organizations will have to begin revamping their control systems to comply. If done right, the new rules should help companies understand themselves better, and by doing so, become more efficient and effective. Robert Colman is editor-in-chief of CMA Management. RELATED ARTICLE: Internal control audit guidance--PCAOB responds The Public Company Accounting Oversight Board (PCAOB) recently published additional guidance to auditors on how to implement the PCAOB's Auditing Standard No. 2, An Audit of Internal Control over Financial Reporting Performed in Conjunction with an Audit of Financial Statements. The guidance consists of a Board Policy Statement Regarding Implementation of Auditing Standard No. 2 and a series of staff questions and answers. The questions and answers offer technical guidance to auditors on how to use the provisions and underlying principles of Auditing Standard No. 2 to conduct effective and cost-efficient audits of public companies' internal control over financial reporting. The Board's Policy Statement amplifies some of the themes in the questions and answers and articulates the Board's policy on how it intends to administer Auditing Standard No. 2 in its oversight of the registered public accounting firms that audit public companies. The guidance represents the PCAOB's response to questions and concerns raised at the April 13 Roundtable on Implementation of Internal Control Reporting Provisions, hosted by the Securities and Exchange Commission and attended by the PCAOB. Both the Board Policy Statement and the staff questions and answers focus primarily on the scope of the internal control audit and how much testing of a company's internal control over financial reporting is required. The PCAOB identified these as the issues that drove costs up in the first year of implementation. In particular, the staff questions and answers seek to correct the false impression that certain provisions of Auditing Standard No. 2 need to be applied in a rigid manner that discourages auditors from exercising the judgment necessary to conduct an internal control audit effectively and cost-efficiently. To review the guidance, visit www.pcaobus.org--it is available under Standards, Staff Questions and Answers at the Web site. |
|
||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion