Internal Control 2006: The Next Wave of Certification ... · dian Institute of Chartered Accountants commissioned this document to help boards and particularly audit committees to

INTERNAL CONTROL 2006:THE NEXT WAVE OF CERTIFICATION

Guidance for Directors

James L. Goodfellow and Alan D. Willis

INTERNAL CONTROL 2006:THE NEXT WAVE OF CERTIFICATION

Guidance for Directors

James L. Goodfellow and Alan D. Willis

Copyright © 2006 The Canadian Institue of Chartered Accountants 277 Wellington Street West Toronto, Canada M5V 3H2

www.rmgb.ca

Disponible en français Printed in Canada

iii

TOCTable of Contents

Preface v

A. Introduction 1

B. The Four Phases of Certification 5

C. Relationship between ICFR and DC&P 7

Key Messages 9

D. The Board’s Responsibilities Regarding the Control Environment 11

Board influence over the control environment and “tone at the top” 12

Board influence over the control environment for venture issuers and small companies 14

Key Messages 15

E. Understanding the Process for Certifying the Design of ICFR 17

1. Review relevant control information 17

2. Identify relevant control “systems” and material account balances 18

3. Identify major financial reporting risks 18

4. Assess the quality of the control environment 18

5. Assess other entity level controls 19

6. Assess process level controls 19

7. Assess findings, form conclusions, make disclosures 20

Review assessments of ICFR design 20

Disclosure considerations 20

Issues for small companies and their audit committees 21

Disclosure examples 22

Key Messages 23

iv Table of Contents

Internal Control 2006: The Next Wave of Certification — Guidance for Directors

F. The Role of the Audit Committee and External Auditors 25

The responsibilities of the audit committee and board of directors 25

The responsibilities of the external auditor 26

Communication with the audit committee 28

Additional help from the external auditors 28

Key Messages 29

G. Questions Audit Committees Might Ask 31

H. Readiness for the Fourth Phase of Certification 33

Appendix 1: Diagram illustrating the four phases of CEO/CFO certification and the annual certificate required in 2006 35

Appendix 2: Where to Find More Information 37

v

PrefaceThe Risk Management and Governance Board (the RMG Board) of the Cana-dian Institute of Chartered Accountants commissioned this document to help boards and particularly audit committees to fulfill their oversight responsi-bilities regarding external financial reporting, in particular Internal Control over Financial Reporting (ICFR) and the related CEO and CFO certifications for 2006.

The Canadian Securities Administrators’ (CSA) Multilateral Instrument 52-109, CEO and CFO Certification, requires CEOs and CFOs to include for the first time in their 2006 annual certificates statements about the design of internal control over financial reporting and related MD&A disclosures. This is in addition to the existing certifications that address disclosure controls and procedures (DC&P).

There are persuasive reasons for audit committees and boards of directors to ensure they are informed about ICFR and engaged in the certification process. Audit committees have a direct interest in the certification process because CEOs and CFOs are required to disclose their conclusions about the effective-ness of Disclosure Controls & Procedures and provide details about changes in ICFR in the Management’s Discussion and Analysis (MD&A). This is a “core document” under Ontario’s legislation for civil liability for secondary market disclosure legislation, and is one that audit committees are required to review and boards to approve. Audit committees must therefore satisfy themselves that these control-related disclosures are complete and properly described.

Moreover, CSA’s corporate governance guidelines (and corporate law gener-ally) assign responsibility for the stewardship of the issuer, including internal control, to the board of directors. In addition, the CSA’s Multilateral Instru-ment 52-110, concerning audit committees, and National Instrument 51-102, regarding continuous disclosure obligations, impose significant responsibili-ties on boards regarding external disclosure of financial information.

For all these reasons it is important that directors fully understand their responsibilities regarding ICFR in ensuring reliable financial reporting.

Preface

Risk Management and Governance Board

Thomas Peddie, FCA, ChairDan Cornacchia, FCABrian Ferguson CAJohn Fraser, CAMichael Harris, CA Andrew J. MacDougall, LLBPeter W Roberts, CA, CPA (Illinois)Josee Santoni, CA

Directors Advisory GroupGiles Meikle, FCA, ChairJames Arnett, QCWilliam Dimma, F.ICD, ICD.DJohn Ferguson, FCAGordon Hall, FSA, ICD.DRobin KorthalsMary Mogford, F.ICD, ICD.DPatrick O’CallaghanRonald Osborne, FCAGuylaine Saucier, CM, FCA

CICA StaffWilliam Swirsky, FCA Vice President, Knowledge DevelopmentGigi Dawe Principal, Risk Management and Governance

vi Preface


This publication, a companion document to Internal Control 2006: The Next Wave of Certification, Guidance for Management, provides audit committees and boards with an overview of the top-down, risk-based process suggested for CEOs and CFOs to follow in certifying the design of ICFR, and an under-standing of the implications for board members of the new components of the CEO and CFO certifications. It also offers a set of 20 questions that an audit committee may wish to ask management about the ICFR certifications. This publication complements existing CICA publications about control, risk, corporate governance, disclosure and CFO responsibilities.

The guidance in both publications has been developed for TSX and venture issuers, since MI 52-109 applies to both. Small cap and venture issuers face special circumstances and control challenges. These are acknowledged and addressed to the extent possible at this time.

The RMG Board acknowledges and thanks members of the Directors Advisory Group (DAG) for their invaluable advice, the authors — James L. Goodfellow, FCA, Vice Chair of Deloitte, Alan Willis, CA, Alan Willis & Associates — and Hugh Miller for his editorial reviews and helpful suggestions.

The authors are responsible for the views expressed in this publication; it does not represent, amend or replace any professional standard nor does it consti-tute prescribed minimum requirements. Directors should consult their pro-fessional advisors on any matter about which they seek clarification, further information or guidance.

Tom Peddie, FCA Chair, Risk Management and Governance Board

AuthorsJames L. Goodfellow, FCA

Alan D. Willis, CA

EditorHugh Miller

Project DirectorGigi Dawe, Principal, CICA

vii

DedicationThis publication is dedicated to the memory of W.A. (Bill) Bradshaw, FCA (1928 – 2006) a partner, friend and mentor to the authors. Bill made many unique contributions to the Canadian accounting profession. Perhaps the most significant of these was the introduction of multi-disciplinary “systems” thinking to the topics of governance, risk, control and accountability. His thoughts and insights have been invaluable to us in all our work, not least in developing this guidance — a legacy for which we are deeply grateful.

Dedication

�

AIn their annual certificates for 2006, CEOs and CFOs will now certify on the design of internal control over financial reporting. What are the implications for audit committees and boards of directors? What role do they have in the process?

BackgroundThe Canadian Securities Administrators’ (CSA) Multilateral Instrument 52-109, CEO and CFO Certification, requires CEOs and CFOs to certify in their 2006 annual certificates that they are responsible for establishing and main-taining both disclosure controls and procedures (DC&P) and internal control over financial reporting (ICFR). The certificates by CEOs and CFOs are to state that they have “designed such internal control over financial report-ing…to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with the issuer’s GAAP.”

The CEO and CFO certificates are also required to state that “any change in the issuer’s internal control over financial reporting that occurred during the issuer’s most recent interim period that has materially affected, or is reasonably likely to materially affect, the issuer’s internal control over financial report-ing” is disclosed in the Management’s Discussion & Analysis (MD&A).

The CSA plans to further expand the CEO/CFO certification in the future to include a certification on the operating effectiveness of ICFR. Separate auditor attestation about ICFR is no longer expected under Canadian requirements (although it is required under Sarbanes Oxley Act Section 404 in the U.S. and, therefore, still applies to inter-listed Canadian issuers).

Before outlining the top-down, risk-based process proposed for CEOs and CFOs to follow in their ICFR design certifications, this publication begins with an overview of the four phases of the CSA’s certification requirements and the relationship between ICFR and DC&P. This is followed by a summary of the board’s responsibilities regarding the organization’s control environment, “tone at the top” and integrity of the CEO, which have an overarching impact on ICFR. The extent to which the board fulfils these responsibilities impacts

Introduction

2 A. Introduction


the effectiveness of ICFR. The publication discusses the role and responsi-bilities of the audit committee and external auditors regarding certification of ICFR, including ways in which external auditors may be of assistance to issuers and audit committees in this regard. A set of 20 questions is offered that audit committees may find it helpful to ask CEOs and CFOs about their certifications regarding ICFR design. Finally some conclusions and issues are presented about readiness for the fourth phase of certification.

Implications for audit committees and boards of directorsThe certification requirements raise important questions for all issuers, not only for CEOs and CFOs but also for audit committees and boards of direc-tors. Do they have a role in the certification process? What exposure would result if it was determined that a weakness existed in the design of ICFR after it had been certified by the CEO and CFO that was not mentioned in the board-approved MD&A? What exposure would result if material account-ing errors were discovered after the documents had been filed, as well as the CEO’s and CFO’s certification of the design of ICFR, but no weaknesses had been reported in the MD&A, which the audit committee had reviewed and the board of directors had approved?

Boards delegate to management the responsibilities for designing and imple-menting a system of internal control. The CEO/CFO certifications, together with the assessments and evaluations the CEO and CFO make in support of their certifications, provide a public accountability for these delegated respon-sibilities. Should the issuer, its officers and its directors ever be sued for mis-leading financial statements or related disclosures, the existence of a robust, documented certification process with appropriate board involvement will be important to support a due diligence defence. The audit committee and board of directors, therefore, have an interest in ensuring compliance with the CEO/CFO certification requirements and that any issues raised in the process are properly addressed.

There is also an opportunity for the audit committee to encourage the orga-nization to move beyond compliance by ensuring that ICFR contributes to the broader business objectives of the issuer. A recent paper from the Interna-tional Federation of Accountants notes:

“It was felt that those companies that viewed internal control as sound business practice were more likely to have embedded it into their normal business processes, and more likely to feel that they had benefited as a result, than those that viewed it primarily as a compliance exercise.”�

Moreover, the relative costs of implementing sound ICFR may well outweigh the adverse impact of rectifying problems after they have become a market issue, not to mention the effect of damage to the reputations of the enterprise, its directors and officers.

This publication is directed at the needs of audit committees and boards of directors. It accompanies the more detailed publication for CEOs, CFOs and management about certifying the design of ICFR. Audit committee members

1 International Federation of Accountants Information Paper, August, 2006, Internal Con-trols — A Review of Current Developments, page �5

� A. Introduction


and directors should to refer to that publication for more in-depth informa-tion on specific aspects of the process suggested for CEOs and CFOs to follow in preparing to certify the design of ICFR.

Implications for small issuersCertifying the design of ICFR is no small task, especially for a small company. Venture issuers are not exempt from the ICFR design certification require-ment, yet there are important practical considerations for them to address that arise from the smaller size of many venture issuers. Corporate governance and audit committee practices for venture issuers may be less well developed than those in larger, non-venture issuers, partly reflecting differences in applicable CSA governance and audit committee requirements. Financial management functions and staffing may also be more limited in scale and capability in these companies.

These practical considerations for small and venture issuers are acknowledged and addressed to the extent possible in relevant parts of this document. The June 2006 U.S. COSO publication Internal Control over Financial Report-ing — Guidance for Smaller Public Companies may be of some assistance to small cap issuers, although “smaller public companies” in the U.S. are often large compared to “smaller” Canadian public companies.

Some small issuers may face a special challenge: the new requirement for 2006 calls for certification of ICFR design, yet the lack of personnel and financial resources for many of these issuers may result in material weaknesses in ICFR-weaknesses that cannot be readily corrected in a cost-effective way. This could preclude them from providing the required certification about ICFR design, thus also preventing them from signing and filing the full certification (since no amendments to certificates are permitted). How this situation may be dealt with is an important issue for audit committees, as well as CEOs and CFOs, and is discussed later in this publication.

BMultilateral Instrument 52-109, CEO and CFO Certification, was issued in 2004 and contains requirements similar to the U.S. SOX-related certification rules, issued by the Securities and Exchange Commission (SEC). Since 2005, MI 52-109 has applied to all reporting issuers,2 although Canadian issuers that are also SEC registrants may use the certifications they prepare for U.S. purposes to satisfy the Canadian requirements. There are no exemptions for venture issuers, unlike those provided to companies listed on the TSX Ven-ture Exchange for certain audit committee requirements.

The CEO and CFO certification requirements are being implemented in four phases, each of which builds on the previous one and expands the scope of the certification.

The first phase, introduced in 2004, required CEOs and CFOs of reporting issuers to personally certify that, based on their knowledge, the financial information contained in their annual and quarterly filings “fairly present in all material respects the financial condition, results of operation and cash flows” of the company. This was known as the “bare” certificate.

In the second phase, which became effective in 2005, CEOs and CFOs were also required to certify that they had designed disclosure controls and pro-cedures to provide reasonable assurance that material information relating to the issuer, including its consolidated subsidiaries, is made known to them by others within those entities. It also required CEOs and CFOs to certify that they had evaluated the effectiveness of the issuer’s disclosure controls and procedures as of the end of the period covered by the annual filings and had caused the issuer to disclose in the annual MD&A their conclusions about the effectiveness of the disclosure controls and procedures.

2006 marks the introduction of the third phase of the certification. CEOs and CFOs are now required to add the following (italicized) additional certifica-tions to their annual certificates3:

2 When MI 52-109 originally came into effect in 2004, it was not applicable in BC or Quebec.3 CSA Staff Notice 52-311. A copy of the certificate for 2006 is provided in Appendix 1 together

with a diagram illustrating the four phases of certification.

The Four Phases of Certification

�


The issuer’s other certifying officers and I are responsible for establishing and maintaining disclosure controls and procedures and internal control over financial reporting for the issuer, and we have:

(b) designed such internal control over financial reporting, or caused it to be designed under our supervision, to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial state-ments for external purposes in accordance with the issuer’s GAAP;

and

I have caused the issuer to disclose in the annual MD&A any change in the issuer’s internal control over financial reporting that occurred during the issuer’s most recent interim period that has materially affected, or is reason-ably likely to materially affect, the issuer’s internal control over financial reporting.

The fourth phase of CEO/CFO certification has not yet been finalized, but will be introduced, at the earliest, in 2007. The CSA has indicated4 that this phase will require CEOs and CFOs to certify that they have evaluated the effective-ness of ICFR and disclosed the conclusions of their evaluation in the issuer’s annual MD&A. Unlike the U.S. requirements, CEOs and CFOs will not have to issue a separate management report on internal control, nor will they be required to obtain the external auditor’s opinion of management’s assessment of the effectiveness of internal control or the auditor’s own assessment of the effectiveness of internal control.

The CSA is currently revising MI 52-109 to reflect these proposals, which it is expected to release for public comment in the fall of 2006.

4 CSA Notice 52-313.

•

•

6 B. The Four Phases of Certification

CThe CEO/CFO certification requirements contain two control concepts — dis-closure controls and procedures (DC&P) and internal control over financial reporting (ICFR).

Reporting issuers make two types of public disclosures. One type is the information contained in documents they are required to file with the secu-rities regulators (including the interim and annual financial statements and MD&As). The other type includes other voluntary disclosures made in oral or written statements.

The CSA’s definition of ICFR relates to the reliability of financial reporting, focusing in particular on controls over the information contained in the interim and quarterly financial statements. Under the CSA definition, the purpose of ICFR is to provide reasonable assurance that:

financial statements prepared for external purposes are in accordance with the issuer’s GAAPtransactions are recorded as necessary to permit the preparation of finan-cial statements, and records are maintained in reasonable detailreceipts and expenditures of the issuer are made only in accordance with authorizations of the issuer’s management and directors, andunauthorized acquisitions, uses or dispositions of the issuer’s assets that could have a material effect on the financial statements will be prevented or detected in order to prevent a material error in annual or interim financial statements.

For the purpose of ICFR design certifications (and related MD&A disclo-sures), ICFR should, in our interpretation of the CSA definitions, be regarded as an element or subset of DC&P.5 This means any material weakness in the

5 This interpretation is consistent with that expressed in Appendix III of “Perspectives on Internal Control Reporting”, December 2004, by Deloitte & Touche LLP, Ernst & Young LLP, KPMG LLP and PricewaterhouseCoopers LLP (USA). Part 6 of the Companion Policy to MI 52-109 also discusses this matter, indicating substantial but not complete overlap of DC&P over ICFR.

•

•

•

•

Relationship between ICFR and DC&P

�


design (or operating) effectiveness of ICFR should be disclosed in the MD&A, as would any other weakness identified in management’s conclusions about the effectiveness of DC&P.

The following diagram illustrates the relationship between an organization’s overall control structure, its disclosure controls and procedures and its inter-nal control over financial reporting. The diagram is intended to illustrate that ICFR is narrower than DC&P, which, in turn, is more restricted than the controls over all public disclosures, and they, in turn, are less encompass-ing than the total set of controls within an organization to help it achieve its objectives.

The relationship between disclosure controls and civil liability for disclosures in the secondary market is important. Directors, officers and issuers are enti-tled to a due diligence defence, which would include placing reliance on the issuer’s disclosure system and controls, providing they have conducted a rea-sonable investigation to support such reliance. The CEO and CFO certifica-tions, and the process the CEO and CFO follow to support their certifications, would be an important component of such a defence.

Overall BusinessControl Structure

Disclosure Controls andProcedures (DC&P) perMI 52-109 Definition

Internal Controls overinformation containedin annual and quarterlyfinancial statements(ICFR) per MI 52-109Definition

Categories of Control

Controls over informationcontained in other publicdisclosures

� C. Relationship between ICFR and DC&P


The CEO and CFO certifications contemplated by MI 52-109 address only controls over documents that are required to be filed with a securities regula-tor. Audit committees or boards of directors that want to rely on disclosure controls over other voluntary disclosures (e.g., annual reports or conference calls with analysts) must ensure that the controls over these disclosures are either included in the CEO/CFO certification process or are evaluated in some other manner.

Key MessagesDisclosure controls and procedures (DC&P) and internal control over financial reporting (ICFR) are defined terms in MI 52-109. The CSA definition of ICFR focuses on the financial statement component of financial reporting.

Material weaknesses in the design of ICFR should be disclosed in the MD&A in a manner similar to the disclosure of material weaknesses in DC&P.

In light of Ontario’s civil liability legislation, issuers may wish to expand their operational definition of DC&P to include all public disclosures and not just information contained in documents that are required to be filed with a securi-ties regulator.

•

•

•

� C. Relationship between ICFR and DC&P

DRecent high-profile accounting scandals and convictions of CEOs demon-strate that effective ICFR ultimately depends on the integrity of the CEO and a culture of integrity within the organization. These are critical aspects of the control environment, often referred to as the “tone at the top.” A recent international review of current developments in and convergence of thinking about internal control states:

The importance of the tone at the top and the culture and ethical frame-work throughout the organization is fully acknowledged and considered essential to the successful implementation of an internal control system.6

The control environment is directly impacted by the board’s expectations for business conduct, which, in accordance with sound corporate governance principles and practices, are first shaped in the boardroom and then com-municated to the rest of the organization, thus setting the context for all other business controls, including ICFR.

The following diagram illustrates the linkage of corporate governance with control and ICFR.

6 International Federation of Accountants Information Paper, August, 2006, Internal Con-trols — A Review of Current Developments, page �4

The Board’s Responsibilities Regarding the Control Environment

��


Board influence over the control environment and “tone at the top”Recognized corporate governance principles and practices, embedded in the CSA guidelines and disclosure requirements, are available to boards of directors to assist them in formulating, communicating and monitoring their expectations about business conduct. Some important principles and prac-tices for these purposes are described below.

Board responsibilitiesThe CSA states that the board’s mandate should include a statement of respon-sibility for the issuer’s internal control and management information systems7. It also calls for the board to set forth its expectations for the integrity of the CEO and other executive officers, for the CEO and other executive officers to create a culture of integrity throughout the organization and for the board to satisfy itself regarding these matters.

Unlike control procedures, the “tone at the top” cannot be “designed” in the same sense as more detailed operational or financial policies and procedures. The board, the CEO and senior management can, however, put in place the fundamental principles and expectations to shape the control environment and create a culture of integrity, which is normally reinforced by the example set by the CEO and senior management.

The potential for the CEO, CFO and/or controlling shareholder to override controls is also a risk that depends, to a great extent, on the control environ-ment, particularly the objectives the board sets for the CEO and the board’s monitoring of the CEO’s performance.

Boards of directors also have a responsibility for the identification of the prin-cipal risks of the issuer’s business, including principal financial reporting and disclosure risks, and ensuring the implementation of appropriate systems to manage these risks.8 Risk and ICFR are, therefore, closely linked.

Code of conductOne way the board can communicate its expectations for corporate behav-iour is through a code of business conduct and ethics. The CSA calls for all boards to adopt a written code of business conduct and ethics, and to monitor compliance with the code.9 TSX-listed companies are also required to make disclosures about their adoption and monitoring of such a code.10

The failure to adopt and monitor compliance with a code of business conduct does not automatically create an ICFR “design weakness.” However, in our view it may well be indicative of such a weakness, the effect of which may be mitigated by other specific procedures or actions taken by the board and senior management.

7 National Policy 58-201 Corporate Governance Guidelines, item 3.48 CSA NP 58-201, 3.49 CSA NP 58-201, Corporate Governance Guidelines, items 3.8 & 3.910 CSA NI 58-101, Disclosure of Corporate Governance Practices, Form 58-101, item 5

�2 D. The Board’s Responsibilities Regarding the Control Environment


Whistle-blowing policyMultilateral Instrument 52-110, Audit Committees, states that:

(7) An audit committee must establish procedures for:

(a) the receipt, retention and treatment of complaints received by the issuer regarding accounting, internal accounting controls, or auditing matters; and

(b) the confidential, anonymous submission by employees of the issuer of concerns regarding questionable accounting or auditing matters.

“Whistle blowing” procedures provide audit committees and boards with information about the control environment, and the policies that help shape it. Again, failing to establish effective “whistle blowing” procedures would not automatically create a “design weakness,” but would probably create the like-lihood of one, which may be mitigated by specific procedures or actions taken by the board and senior management.

Compensation practicesThe control environment and senior management’s behaviour can be severely impacted when compensation schemes reward the wrong behaviours (e.g., motivating senior management to override ICFR in order to misstate financial results).

The board, through its compensation committee, is expected to take respon-sibility for executive compensation. Boards should ensure that executive com-pensation programs support and reward behaviour consistent with the code of business conduct and ethics, and with board-approved corporate goals and objectives for the CEO.11

Management’s philosophy and operating styleThe “tone at the top” has a major impact on the CEO’s and senior executives’ management philosophy and operating style, including their:

approach to accepting, managing and monitoring business risks, including those related to disclosure and financial reportingattitudes and actions concerning financial reporting and disclosure, including accounting policies and estimatesemphasis on meeting shorter term budget, profit, and other financial and operating goals, andfocus on longer term business development and value creation.

The degree to which these factors are aligned with board-approved corporate goals, objectives and strategy influences management’s philosophy and oper-ating style. That operating style is the interface between the board’s expecta-tions and the control environment, and the expectations communicated to employees about control and the conduct of business. It, therefore, has a sig-nificant influence over the effectiveness of ICFR.

In summary, the control environment has an overarching, pervasive impact on other entity level and process level controls, including those relevant to ICFR.

11 CSA NP 58-201, Corporate Governance Guidelines, items 3.15 – 3.17.

•

•

•

•

�� D. The Board’s Responsibilities Regarding the Control Environment


Board influence over the control environment for venture issuers and small companiesWhat the board of directors of a venture issuer or small company can reason-ably be expected to do in shaping the control environment and “tone at the top” and the means available to it to carry out those tasks deserves special attention.

NP 58-201 sets out corporate governance guidelines applicable to all report-ing issuers. However, the instrument clearly acknowledges the need to “be sensitive to the realities of the greater numbers of small companies…in the Canadian corporate landscape,” and recognizes that “corporate governance is evolving.” Further, NI 58-101, Disclosure of Corporate Governance Practices, imposes more comprehensive disclosure requirements on non-venture issu-ers, mirroring the content of NP 58-201, than it does on venture issuers.

MI 52-110, Audit Committees, similarly acknowledges that the boardrooms and governance practices of venture issuers can be very different from those of non-venture issuers. It provides exemptions for venture issuers about audit committee composition (including independence and financial literacy) and disclosure requirements. There are, however, no exemptions for venture issu-ers regarding audit committee responsibilities, including the need for the audit committee to establish “whistle blower” procedures.

Given these circumstances, how should the board of a venture issuer or small company respond? Two possible scenarios can be considered. In one, the board may choose to adopt corporate governance best practices relevant to the organization’s size and stage of growth, and do its best to influence the tone at the top, provide oversight of the CEO and foster management integ-rity. This, in turn, will strengthen key entity level controls and the company’s general “control consciousness.” Together, these activities may compensate for possible shortcomings in process level controls that may be difficult or impossible to implement in a small company, such as the segregation of duties. This approach might suggest less risk and higher quality of management to analysts and investors.

In the second scenario, the board and audit committee may choose to focus only on complying with the governance practices contained in NI 58-101 and MI 52-110 that are directly applicable to venture issuers. As a result, the board would be less effective in setting expectations for “tone at the top” and provid-ing oversight of the CEO, which, in turn, be less likely to signal the impor-tance of integrity in business conduct and disclosure. This would create a weak control environment, leaving the door open to undetected errors, undesirable business conduct, unreliable or misleading financial reporting and even man-agement override of process level controls. This approach might indicate greater risk and lower quality of management to analysts and investors.

In summary, the control environment is an integral, overarching element of ICFR. CEOs and CFOs must address it in their assessment of the design of ICFR, despite the fact that their assessment will not be completely objective since the CEO is a central, influential feature of the control environment. The CEO’s and CFO’s assessment of the control environment should, therefore, be a key topic for enquiry by audit committees of both venture issuers and non-venture issuers if financial reporting risk is to be realistically assessed.

�4 D. The Board’s Responsibilities Regarding the Control Environment


Key MessagesThe control environment is shaped by the expectations set by the board and the “tone at the top” established by the CEO and senior management. It has a lot to do with the integrity of the CEO and other executive officers and their commit-ment to ethical behaviour.

The board should adopt a written code of business conduct and ethics and be responsible for monitoring compliance with this code.

Weaknesses in either the code of business conduct and ethics or monitoring compliance with the code would create the likelihood of a material design weak-ness in ICFR.

Assessing the control environment’s “design” is more subjective than assessing the design of detailed control procedures.

Audit committees and boards should consider whether the CEO’s and CFO’s assessment of the control environment is consistent with the information obtained through the board’s monitoring of compliance with the code, its evalu-ation of performance of the CEO, CFO and other senior officers, and through other mechanisms such as whistle-blowing procedures.

There are special considerations for CEOs, CFOs, audit committees and boards of venture issuers and small companies in assessing the control environment and the board’s influence on it.

•

•

•

•

•

•

�� D. The Board’s Responsibilities Regarding the Control Environment

EThe CEO and CFO are personally responsible for their certificates and the processes and controls they put into place to discharge their responsibilities, both for the design of ICFR and for the ICFR certifications. It is important, however, that the board and the audit committee understand the certification processes the CEO and CFO put in place because of the impact those pro-cesses have on the quality of the financial statements and the reliability of the disclosures in the MD&A. The audit committee is required to review and the board is required to approve both of these primary components of financial reporting.

An overview of the seven-step process it is suggested CEOs and CFOs might follow when certifying the design of ICFR is presented below. It is advis-able for audit committees to review the proposed process with the CEO and CFO before it is undertaken.12 The process is discussed in more detail in the companion publication.

�. Review relevant control informationAll relevant control information should be collected and considered to help identify areas where a design weakness in ICFR might exist. One of the most common areas of material weaknesses reported by U.S. companies relates to the year end closing processes. This is not surprising given the complexity of accounting and disclosure decisions,

12 The process suggested in this publication does not specify the use of any particular control framework for assessing ICFR design. This is a decision that the CSA leave to reporting issuers. This matter is discussed further in the companion publication.

Understanding the Process for Certifying the Design of ICFR

7

1 Review Relevant ControlInformation

Identify Relevant ControlSystems and Material Account Balances

Review Principal Financial Reportingand Disclosure Risks

Assess Control Environment

Assess Other Entity Level Controls

Assess Findings, Form Conclusionsand Make Disclosures

PreparationStage

Assessment ofDesign Stage

Conclusions andDisclosure Stage

Process for Certifying the Design of ICFR

2345

ProcessControl A

6Process

Control B6

ProcessControl C

6Process

Control D6

ProcessControl E

6Process

Control F6

ProcessControl G

6

��





ProcessControl A

ProcessControl B

ProcessControl C

ProcessControl D

ProcessControl E

ProcessControl F

ProcessControl G

including all the accounting estimates and judgments, involved in the prepa-ration of the annual financial statements. Audit committees should satisfy them-selves that management has reviewed the closing experience in prior periods, including any errors detected and adjustments made in preparing the financial statements for these periods, and assessed whether that experience indicates the possibility of any potential material weaknesses in the design of ICFR.

Audit committees should also be satisfied that management has considered and dealt with other sources of information within the company that might indicate an ICFR design weakness. Examples of such sources are given in the companion publication.

2. Identify relevant control “systems” and material account balancesAn important step in preparing to assess the design of ICFR is to decompose ICFR into meaningful sub-categories. These sub-categories would include principal business processes within all business units, and the related account-ing systems and financial statement account balances to which particular pro-cess level controls apply within the context of the control environment and other entity level controls.

�. Identify major financial reporting risksA cost effective way to assess the design of ICFR is to begin by assessing whether it will provide reasonable (i.e., a high level of but not absolute) assurance that significant disclosure and financial reporting risks are effectively controlled, and will not produce misleading accounting results or disclosures.

The board is responsible for the identification of the principal risks of the issuer’s business, which include principal financial reporting and disclosure risks. Investor confidence and market reputation are sensitive to disclosure and reporting deficiencies and uncertainties, and the market can punish issu-ers severely when investors are surprised by reports of consequences of risks that were not previously disclosed.

Boards and audit committees should ensure that CEOs and CFOs have insti-tuted a reasonable, supportable and documented basis for concluding whether the controls that comprise ICFR address all major financial reporting and dis-closure risks. Any risk that is not addressed could represent a significant, even material, weakness in ICFR and therefore in DC&P.

4. Assess the quality of the control environmentAs discussed in the previous section, the control environment is directly impacted by the board’s corporate governance policies and practices, and the expectations the board sets for the CEO and the way business is to be con-ducted. Audit committees should review the CEO’s and CFO’s assessment of the control environment, culture of integrity and disclosure attitudes. They should ensure that the findings of management’s assessment are consistent with the board’s approved code of business conduct and ethics, the informa-tion the board has obtained in monitoring compliance with the code and through the whistle-blowing procedures, and the board’s evaluation of the CEO’s and CFO’s performance. The audit committee should also assess whether management’s philosophy and operating style enhance or jeopardize ICFR.

Review Relevant ControlInformation



PreparationStage

3

Review Relevant ControlInformation



PreparationStage

�� E. Understanding the Process for Certifying the Design of ICFR


As also discussed in the previous section, the quality of the control environ-ment is particularly important in venture issuers, since it can be the primary means of compensating for weaknesses in process controls. This should be of special interest to audit committees of venture issuers in their enquiry about the CEO’s and CFO’s assessment of the control environment and their conclu-sion about its significance for other controls in the design of ICFR.

�. Assess other entity level controlsIn addition to the control environment, other important elements of control operate across the entity and impact its business process controls relevant to the objectives of ICFR. These entity-wide controls must be assessed to deter-mine whether their design adequately supports the achievement of ICFR objectives. Several entity level controls are discussed in greater detail in the companion publication.

Some entity level controls will not necessarily exist in venture issuers, such as internal audit. Others will exist at a scale appropriate to the size of the venture issuer and its stage of business growth. These include management informa-tion systems, human resource policies, organizational structure, general (as distinct from application) information technology controls and upwards communication of material information.

6. Assess process level controlsA reporting issuer’s overall control structure includes controls relevant to ICFR at the level of business processes (e.g. revenue, purchasing, payroll, asset management, inventory, period-end closing, etc.) that exist within the company and its organizational units (e.g. divisions, subsidiaries, off-balance sheet/special purpose entities, joint-ventures, etc.).

Audit committees should obtain an understanding of how the CEO and CFO addressed each of the following elements in their assessment of the design of ICFR:

the identification of principal financial reporting and disclosure risks related to each relevant business processaccounting policies related to the recording of transactions and prepara-tion of the financial statements, including preparation of accounting esti-mates13

allocation of authority, responsibility and accountability for those involved in the preparation of the financial statements and the management and control of principal financial reporting and disclosure risksknowledge and competency of staff involved in the preparation of the financial statementscontrols to ensure effective compliance with accounting policies, manage-ment directives and regulatory requirements affecting financial reporting

13 The audit committee’s review of key estimates is not a “control” but it is certainly a best prac-tice. Audit committees should review an inventory of major estimates, assess changes from one period to the next (especially the release of reserves) and assess the overall impact on reported information.

•

•

•

•

•




ProcessControl A

ProcessControl B

ProcessControl C

ProcessControl D

ProcessControl E

ProcessControl F

ProcessControl G




ProcessControl A

ProcessControl B

ProcessControl C

ProcessControl D

ProcessControl E

ProcessControl F

ProcessControl G

�� E. Understanding the Process for Certifying the Design of ICFR


consistency of results of operations reported in the financial statements with management’s knowledge of business operations and other internal management informationthe existence and use of monitoring of activities, such as internal audit, that may indicate weaknesses in the design of ICFR

Small cap issuers may not be able to implement some process level controls (e.g. internal audit, segregation of duties). Audit committees should enquire how the CEO and CFO are able to satisfy themselves that compensating entity level controls exist and/or other steps have been taken to ensure that the objec-tives of ICFR can be achieved.

�. Assess findings, form conclusions, make disclosuresAudit committees should review the conclusions reached by the CEO and CFO about the design of ICFR, the process the CEO and CFO used to conduct their assessment and how they decided on the disclosures to be provided in the MD&A.

Review assessments of ICFR designCEOs and CFOs review their assessment of the design of ICFR at the entity level (control environment and other entity level controls) and at the level of process controls over business and accounting systems. Controls that address principal financial reporting and disclosure risks are “mission criti-cal” because these risks could create serious reporting issues if they are not adequately controlled. Audit committees should obtain an understanding of the CEO’s and CFO’s conclusions about ICFR design based on their findings about ICFR for the relevant business control systems and account balances, and how they reached any overall conclusions about ICFR design.

Disclosure considerationsChanges made to ICFR to remedy material design weaknesses are to be dis-closed in the MD&A at the end of the reporting period in which the changes were made.14

The companion document includes a process that CEOs and CFOs may use to determine whether an ICFR weakness is material, significant but not mate-rial, or immaterial. In the first two cases, the weaknesses should be brought to the attention of the audit committee and external auditors. Audit committees should enquire about the basis on which the CEO and CFO judged material-ity. The companion document includes decision trees as aids for deciding on the appropriate disclosures and possible corrections to be made to the finan-cial statements in relation to changes made to ICFR in the fourth quarter. The decision trees also address situations where an ICFR weakness is identified to exist at year end and before the financial statements are finalized.

In our view, any material design weakness in ICFR should be disclosed in the MD&A, since it is likely to also affect the effectiveness of DC&P. We consider this to be a prudent practice that ensures relevant information is provided to investors. Audit committees should be aware that, in the absence of a disclo-

14 For December 31 2006 year end annual MD&As, this will be the fourth quarter.

•

•

Assess Findings, Form Conclusionsand Make Disclosures

Conclusions andDisclosure Stage

20 E. Understanding the Process for Certifying the Design of ICFR


sure referencing a design weakness in ICFR, investors are likely to assume that the design of ICFR is effective and that there are no material weaknesses to disclose.

A situation may arise where an uncorrected material weakness in design of ICFR has been identified as of the end of the reporting period, appropriate MD&A disclosure has been made about the weakness, and appropriate steps have been taken to ensure that there is no material effect on the financial state-ments.

Under these circumstances, it seems unlikely that the CEO and CFO would be able to certify that the design of ICFR provides reasonable assurance regard-ing the reliability of financial reporting and the preparation of financial state-ments. This situation would, it might be argued, also prevent the CEO and CFO from signing and filing the full certificate, since the Companion Policy to MI 52-109 does not permit changes of any kind in the wording of the cer-tificates.

If a situation such as this occurs, the matter should be brought to the attention of the audit committee, and legal counsel should be consulted to determine an appropriate course of action. We believe that the CSA may not object to CEOs and CFOs signing their certificates, including the paragraph about ICFR design, if:

The weakness is fully disclosed in the MD&A, together with a formally approved remediation plan, orThe weakness is fully disclosed in the MD&A, together with a statement, including supporting rationale, that the issuer cannot remediate the weak-ness.

In other situations, e.g. the weakness is reasonably capable of remediation but the issuer has not developed a remediation plan, the CSA may be reluctant to accept the certificate.

We encourage issuers to review the staff guidance that the CSA plans to provide on disclosure regarding ICFR weaknesses, and to consult with legal counsel and the appropriate securities commission on the disclosure and cer-tification to be provided.

If the issuer is disclosing a remediation plan for an identified material weak-ness in ICFR, then in our view such a plan should clearly indicate the actions that need to be taken and when, and the commitment and capability to carry them out. The plan should be approved by the CFO, the CEO and the audit committee. These disclosures should continue to be provided in future peri-ods until the audit committee is satisfied that the remediation plan has been fully implemented.

Issues for small companies and their audit committeesIn small companies with limited resources, certain ICFR design weaknesses (e.g., segregation of duties) may be difficult or impossible for CEOs and CFOs to rectify in a cost-effective manner.

Although signing the certificates under M152-109 is a responsibility of the CEO and CFO, audit committees will wish to assess the impact of ICFR weak-nesses on disclosures to investors that they must review and boards approve.

•

•

2� E. Understanding the Process for Certifying the Design of ICFR


In addition to following the course of action outlined above regarding uncor-rected material weaknesses, management and the audit committee may wish to consider whether there are other actions that could be taken to provide assurance to investors that these ICFR design weaknesses have not resulted in material error in the financial statements. For example, the audit commit-tee could engage the external auditor to perform quarterly reviews of interim financial statements. If the audit committee engages the auditors to perform quarterly reviews, we recommend that this fact be disclosed in the MD&A.

Additional help from the external auditors is discussed further in the next section of this publication.

Disclosure examplesExamples of material weaknesses disclosed by U.S. companies in their annual filings include:

“The company did not maintain effective controls to ensure there was appropriate support and documentation for reimbursement of expendi-tures. This control deficiency resulted in a misstatement.”“Management identified a material weakness in the accounting for income taxes. Specifically the company did not maintain sufficient resources in the corporate tax function.”“Management had determined that a control deficiency related to revenue recognition on contracts entered into with customers constituted a mate-rial weakness.”“Two material weaknesses related to the company’s vendor debits process and financial statement close process existed in the company’s internal control over financial reporting.”

•

•

•

•

22 E. Understanding the Process for Certifying the Design of ICFR


Key MessagesAudit committees should review the processes that support the CEO’s and CFO’s certification and be satisfied that they constitute a reasonable approach and are diligently performed.

Audit committees should review all design weaknesses in ICFR identified in these processes that could have a material impact on the issuer’s financial reporting.

Audit committees should understand how management assessed each weak-ness, and decided on whether it should be disclosed in the MD&A or not, and should review the “close call” decisions.

Audit committees should review the completeness and accuracy of the disclo-sures provided in the MD&A.

When unremediated ICFR design weaknesses are disclosed in the MD&A the audit committee should review, with advice from legal counsel as necessary, the proposed course of action for CEO and CFO signing of the certificates and consultation with the appropriate securities regulators.

When remediation plans are disclosed, the audit committee should review and approve them.

•

•

•

•

•

•

2� E. Understanding the Process for Certifying the Design of ICFR

FMI 52-109 does not require audit committees, boards of directors or exter-nal auditors to review or approve the CEO and CFO certificates. Audit com-mittees are, however, required to review the MD&A, which is to include the disclosure of material weaknesses for both DC&P and ICFR and changes in ICFR. As a result, the directors need to become involved with the certifica-tion process in relation to ICFR, and audit committees and external auditors need to exercise their respective responsibilities regarding ICFR and related disclosures. This section discusses the roles of the audit committee, board of directors and external auditors. It also discusses ways in which the external auditors may help the audit committee fulfill its responsibilities.

The responsibilities of the audit committee and board of directorsAudit committees are required to review the issuer’s financial statements, MD&A and annual and interim earnings press releases before the issuer pub-licly discloses this information. The board of directors is required to approve both the issuer’s financial statements and MD&A for release and filing with securities regulators.

Since material weaknesses in DC&P and ICFR, along with material changes in ICFR, are required to be disclosed in the MD&A, the audit committee needs to satisfy itself that these disclosures are complete (i.e., all material weaknesses are disclosed) and fairly presented – just as it would for all other disclosures included in the MD&A.

We believe directors should not just review the draft control-related disclo-sures, but should also understand and assess the certification process that generated these disclosures. We make this suggestion for three reasons.

First, an understanding of the certification process would provide the audit committee with an opportunity to better understand the strengths and weak-nesses of the control systems of the issuer, and where appropriate support from the audit committee will help to strengthen these systems.

The Role of the Audit Committee and External Auditors

2�


Second, it provides the audit committee with an understanding of the pro-cess followed by the CEO and CFO in preparing to certify the effectiveness of ICGR design, and the basis for the judgments exercised in the process and assessment of findings.

Third, it should help the audit committee and directors establish a defence in the event of proceedings under Ontario’s civil liability legislation for second-ary market disclosures. It is in the audit committee’s interest to satisfy itself with respect to the rigour of the CEO/CFO certification process, findings and conclusions. Simply put, a rigorous certification process conducted by the CEO and CFO should be the directors’ best friend in defending themselves against a financial reporting or disclosure related lawsuit.

The audit committee can play an important role in supporting well designed ICFR, and ensuring that these controls are operating effectively. A well designed ICFR helps ensure that the audit committee and other internal users receive timely, accurate and reliable financial information on which to make decisions. The audit committee is well positioned to review and influence the design and operation of ICFR. The CFO is normally the primary management interface with the audit committee and the external auditors, and often the internal auditors, report to the audit committee on the results of their work. In addition, when the board approves strategic plans, the audit committee can ensure that there sufficient resources are allocated for designing and sustain-ing effective DC&P and ICFR.

The next section provides a set of 20 questions that audit committees and boards may wish to ask of CEOs and CFOs as part of their due diligence and oversight process to assure themselves that a rigorous assessment has been conducted of the design of ICFR.

The responsibilities of the external auditorThe external auditors can assist the audit committee and the board of direc-tors in a number of ways, depending on the terms of their audit appointment and the other services they have been asked to perform. Today, the audits of Canadian public companies must be performed in accordance with either U.S. Generally Accepted Auditing Standards (GAAS) or Canadian GAAS. The external auditors of companies that are SEC registrants must comply with U.S. SOX 404 requirements and perform their audits in accordance with the auditing standards of the U.S. PCAOB15 (U.S. GAAS), which require them to provide opinions on:

the financial statementsmanagement’s assessment of ICFR, andthe design and operational effectiveness of ICFR.

The external auditors of Canadian domestic issuers are required only to audit and report on the annual financial statements. Under Canadian standards, the auditor does not provide an opinion on the operating effectiveness of DC&P or on the design of ICFR.

15 Public Company Accounting Oversight Board

•••

26 F. The Role of the Audit Committee and External Auditors


Understanding the differences between these two sets of auditing standards is important, since many corporate directors will sit on the boards of both Canadian domestic issuers and SEC registrants. The following is a brief over-view of the implications.

Under U.S. standards for providing the ICFR-related opinions, the auditors are required to obtain a much deeper understanding and knowledge of the design and operating effectiveness of ICFR, enabling them to provide infor-mation likely to be of use to the audit committee. More importantly, the audit committee and board of directors are likely to be able to rely on the auditor’s control related opinions as reports provided by an “expert.” This additional knowledge and assurance, however, comes at a price, since the external audi-tors must significantly expand their review and testing of ICFR beyond that involved in a financial statement audit.

Canadian auditing standards, on the other hand, have been developed to support an audit of the financial statements, but not to provide additional opinions or assurance on ICFR. In conducting the audit, the auditor does, however, obtain some insights on aspects of the design of ICFR and its operat-ing effectiveness. As a result, the external auditors can help audit committees understand the design of ICFR and any weaknesses they have detected in the course of their financial statement audit. The following paragraphs illustrate how the external auditor obtains this knowledge about the design and operat-ing effectiveness of ICFR.

In conducting a financial statement audit, the external auditor is requiredunder Canadian GAAS to obtain an understanding of internal control relevant to the audit. Controls relevant to a financial statement audit are those that pertain to the entity’s objective of preparing financial statements for external purposes that are fairly presented, in all material respects, in accordance with gener-ally accepted accounting principles (GAAP) and the management of risks that may give rise to a material misstatement in those financial statements.

When obtaining an understanding of internal control relevant to the audit, the auditor evaluates the design of relevant controls and determines whether these controls have been implemented. The external auditor’s objectives in obtaining this understanding are to:

identify types of potential misstatements of the financial statementsconsider factors that affect the risks of material misstatement of the finan-cial statements, anddesign the nature, timing and extent of further audit procedures to be per-formed.

If, in determining the nature, timing and extent of further audit procedures to be performed, the external auditor decides to rely on the operating effective-ness of specific controls, the external auditor is required by GAAS to test that those controls operated effectively. The nature, timing and extent of tests of the operating effectiveness of these specific controls, and the work done on the design and implementation of controls relevant to the audit, are not intended to, and do not provide an appropriate basis for the external auditor to form an opinion on the operating effectiveness of ICFR as a whole. Accordingly, the external auditor does not provide such an opinion.

••

•

2� F. The Role of the Audit Committee and External Auditors


Communication with the audit committeeDuring the course of planning and performing the financial statement audit, the auditor may identify significant weaknesses in internal control relevant to the audit, and to management and the audit committee. To comply with GAAS, external auditors are required to communicate such weaknesses to the audit committee or its equivalent. Audit committees should, therefore, engage in an open and frank discussion with their external auditor to ensure that they understand the auditor’s views on the design of ICFR and any potential ICFR weaknesses that are of concern to the auditor.

When evaluating the effectiveness of the DC&P and assessing whether the design of ICFR provides reasonable assurance regarding the reliability of financial reporting and the preparation of the financial statements, the CEO and CFO should also take into account material weaknesses in internal con-trol communicated by the external auditor.

For their part, the external auditors are associated with the MD&A and must, therefore, review the MD&A to ensure its consistency with the financial state-ments and the knowledge they have developed during the course of the audit. Should the external auditor conclude that the representations or disclosures in the MD&A are inconsistent with their knowledge (e.g., the MD&A does not disclose any weaknesses in the design of ICFR but the external auditor is aware of design weaknesses that they consider to be material) then the exter-nal auditor is required to communicate this information to the audit commit-tee and take whatever action is necessary.

Additional help from the external auditorsWhile the auditor’s communication of material weaknesses in internal con-trols may provide some useful insights into ICFR, the auditor cannot provide assurance with respect to the effectiveness of ICFR through an examination of financial statements alone. Nor can work done in a financial statement audit provide the type of assurance given to audit committees and boards of inter-listed companies subject to SOX 404. In order to receive such assurance, a Canadian issuer must engage its auditor to perform an engagement with the specific objective of providing assurance on ICFR. Such an engagement would require the auditor to perform procedures that were not included in the financial statement audit. The terms of such an engagement should be agreed between the auditor and the issuer (including approval by the audit committee) and be appropriately documented. While this alternative is likely to involve significant costs, it is probably the most effective way of minimiz-ing the liability exposure of the issuer, its officers and directors. Whether the benefits are worth the costs involved is something for each audit committee to determine based on the issuer’s specific circumstances.

Another, less costly option is for the audit committee to engage the external auditor to perform “specified procedures” to support the audit committee’s due diligence assertion that it conducted a reasonable investigation. Such pro-



cedures might include performing tests of those controls related to principal financial reporting and disclosure risks. In such engagements, the external auditor would:

agree with management and the audit committee as to the procedures to be performedperform those procedures, andreport to management and the audit committee their findings.

While “specified procedures” engagements do not provide assurance on the overall design or operating effectiveness of ICFR, they would support an assertion that the audit committee conducted a “reasonable investigation.” They would also provide objective evidence for management and the audit committee to use in determining whether the disclosure of material weak-nesses in the MD&A is required or not.

External auditors can also assist management with the documentation and evaluation of control procedures. However, depending on the nature and extent of procedures to be performed, such engagements could pose a threat the auditor’s independence since it could place the auditor in a position of auditing their own work.

Key MessagesMI 52-109 does not require the audit committee or board of directors to approve the CEO’s and CFO’s certificates, however they must review and approve the CEO’s and CFO’s conclusions that are disclosed in the MD&A.

While the external auditor is not required to audit the disclosures contained in the MD&A, they must review the MD&A to ensure that the ICFR related disclo-sures are consistent with the knowledge developed during the financial state-ment audit.

The audit committee should ask probing questions and obtain relevant infor-mation and reports to satisfy themselves that the certification process was thorough and rigorous and that all findings were dealt with appropriately.

If the audit committee desires more assurance from the external auditor than that provided in the audit of financial statements, they can:

engage the external auditors to expand their audit procedures to provide a report containing an opinion on the design and operating effectiveness of ICFR similar to that provided in an audit of ICFR performed in accordance with U.S. auditing standards; or

engage the external auditors to perform certain “specified procedures” with respect to ICFR and report their findings to both management and the audit committee.

Audit committees should encourage their organizations to take a “beyond com-pliance” approach that integrates ICFR into their business and risk management practices and helps them achieve their business objectives.

1.

2.

3.

4.

a.

b.

5.

•

••


GFor audit committees and boards to be able to rely on the certification process, they need to assure themselves that the CEO and CFO conducted a thorough and diligent evaluation of DC&P and a rigorous assessment of the design of ICFR. This requires audit committees and boards to ask the right ques-tions and respond appropriately to the information and representations they receive. Some questions they might ask of management are presented below.

GeneralDescribe the process you followed to assess the design of ICFR. Why are you confident that a thorough and effective process was followed?

Would any of the design deficiencies detected in this process indicate deliberate action to avoid, circumvent or eliminate control? Are there any indicators that a design weakness is linked to, or could result in, fraudu-lent activities?

What significant design deficiencies in ICFR have been identified and corrected in the past year? When?

What accounting and financial reporting “surprises” occurred in the past year? Do they indicate weaknesses in ICFR design?

When you evaluate and test operating effectiveness of ICFR next year, what areas are most susceptible to finding a weakness? What can be done now to ensure that such weaknesses do not exist in the future?

What level of priority has been placed by the internal audit function on ICFR, what conclusions have they reached, and what reliance can be placed on their work?

1.

2.

3.

4.

5.

6.

Questions Audit Committees Might Ask

��


Preparation stageWhat were the most significant financial reporting and disclosure risks that you considered in assessing the design of ICFR? What were your con-clusions about the level of control over these risks?

Was an appropriate, recognized internal control framework used as the basis for design of ICFR? If not, how did you satisfy yourselves that the design of ICFR is effective?

Assessment of design stageHow did you assess the design of the control environment and “tone at the top” and what were your conclusions?

What other principal entity level controls were assessed, and what were your conclusions?

What business units/business processes have the most effective control? Which are the weakest and how serious is the risk of material misstate-ment?

Did you assess whether there are sufficient capabilities in each business unit/process to implement the ICFR design?

How do you ensure that the appropriate people are committed to imple-menting the ICFR design? (e.g., Are their reward and recognition systems aligned with the ICFR design objectives?)

What systemic weaknesses in control, if any, were identified? What is being done to address them?

Conclusions and disclosure stageAre your conclusions about the design of ICFR consistent with the reports of internal auditors, the experience in quarter and annual closing and other sources of control related information, such as whistle blowing responses?

How did you decide which control weaknesses should only be brought to the attention of the audit committee and those that should be disclosed in the MD&A? What were the close calls and how were they resolved?

Has the disclosure committee reviewed the MD&A, including the control related disclosures? What are their views, including the implications for DC&P?

Are you satisfied with the disclosures in the MD&A about ICFR weak-nesses and changes in the last quarter?

Have the financial statements and, where necessary, prior periods’ finan-cial statements been corrected/restated as a result of identified ICFR weaknesses that caused material errors?

What has been the involvement of the external auditor to date, what input or findings have they provided and do you recommend additional work be undertaken by them? If so, why and what do you propose they do?

7.

8.

9.

10.

11.

12.

13.

14.

15.

16.

17.

18.

19.

20.

�2 G. Questions Audit Committees Might Ask

HThe top-down, risk-based process described in this publication is intended to help CEOs and CFOs comply in a cost effective way with the CSA require-ments for 2006 certifications on design of ICFR and changes in ICFR. It also provides the opportunity for CEOs and CFOs to put in place the foundation for the next phase of certification, which deals with the operating effective-ness of ICFR. Performing a risk based assessment of the design of ICFR, and making the investments to remediate whatever weaknesses are identified, will strengthen internal business control and help avoid future more costly or even embarrassing surprises.

Assessing the design of ICFR may also identify opportunities to strengthen governance processes, such as the way in which the board monitors the imple-mentation of an organization’s code of business conduct and the disciplines involved in establishing and sustaining a “culture of integrity.” This is essen-tial for effective ICFR and should contribute more broadly to effective corpo-rate governance.

The time and cost spent on assessing ICFR design in 2006, together with the remediation of identified weaknesses, will be an investment that should pay dividends in future periods.

Developing this publication brought to light two specific issues that, unless addressed, will also affect the fourth phase of certification. We raise these issues so that regulators and the CA profession can develop the appropriate responses to help issuers implement these new requirements.

The first is the situation faced by an issuer who has identified and disclosed a material weakness in ICFR at the end of 2006. CEOs and CFOs of such issuers may be unwilling to provide the required certification about design of effec-tive ICFR, and, since they are not permitted to modify the certificate, this may mean they are not able to provide any type of certificate at all. The CSA is aware of this problem and is expected to provide staff guidance in the near future about disclosure of ICFR design weaknesses and changes.

Readiness for the Fourth Phase of Certification

��


The second issue is the lack of guidance for small companies, especially micro cap companies, with respect to ICFR. Many of these companies do not have the resources to apply GAAP or design and implement effective segregation of duties, and they often have a controlling shareholder who is the CEO. In some areas, these small/micro cap issuers have material weaknesses in ICFR while in other areas they have strong controls due to the active involvement of the CEO/controlling shareholder in the business. While there are compen-sating steps that issuers and their audit committees can take to ensure the reliability of financial reporting, these may be costly. There is an urgent need, in our view, for well-developed practical guidance on ICFR design, material weakness disclosure and mitigating strategies for small/micro cap issuers; the development of such guidance was well beyond the scope of this project.

The top-down, risk-based approach to assessing the design of ICFR presented in this publication will provide a solid foundation for assessing the operat-ing effectiveness of ICFR when certification about that is also required. This guidance is, however, only a beginning; it needs to be updated and enhanced as experience is obtained. The authors and the CICA’s Risk Management and Guidance Board are anxious to obtain feedback, suggestions and ideas on how this guidance can be improved. Comments, ideas and suggestions will be appreciated and should be provided to [email protected].

�4 H. Readiness for the Fourth Phase of Certification

mailto:[email protected]

A1Diagram illustrating the four phases of CEO/CFO certification and the annual certificate required in 2006

Appendix 1

The CSA’s Revised Flight Plan

ContentCertification

Control Certification

Disclosure Controls(DC&P)

Internal Controls(ICFR)

2004 2005 2006 2007

Management’s Bare Certification of

Financial Information(Annual and Quarterly)







Phase 1

Management’s Certification of

Design and Evaluation of DC&P(Annual)

Management’s Certification of Design (Annual

and Quarterly) and Evaluation (Annual)

of DC&P

Management’s Certification of Design (Annual

and Quarterly) and Evaluation (Annual)

of DC&P

Phase 2

Management’s Certification of Design of ICFR(Annual and Quarterly)

Management’s Certification of Design of ICFR(Annual and Quarterly)

Phase 3

Management’s Certification of

Evaluation of ICFR(Annual –

Earliest Date)

Phase 4

��


Form 52-109F1 - Certification of Annual FilingsI, <identify the certifying officer, the issuer, and his or her position at the issuer›, certify that:

1. I have reviewed the annual filings (as this term is defined in Multilateral Instrument 52-109 Certification of Disclosure inIssuers’ Annual and Interim Filings) of ‹identify issuer› (the issuer) for the period ending ‹state the relevant date›;

2. Based on my knowledge, the annual filings do not contain any untrue statement of a material fact or omit to state a material fact required to be stated or that is necessary to make a statement not misleading in light of the circumstances under which it was made, with respect to the period covered by the annual filings;

3. Based on my knowledge, the annual financial statements together with the other financial information included in the annual filings fairly present in all material respects the financial condition, results of operations and cash flows of the issuer, as of the date and for the periods presented in the annual filings;

4. The issuer’s other certifying officers and I are responsible for establishing and maintaining disclosure controls and procedures and internal control over financial reporting for the issuer, and we have:a. designed such disclosure controls and procedures, or caused them to be designed under our supervision, to provide

reasonable assurance that material information relating to the issuer, including its consolidated subsidiaries, is made known to us by others within those entities, particularly during the period in which the annual filings are being prepared;

b. designed such internal control over financial reporting, or caused it to be designed under our supervision, to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with the issuer’s GAAP; and

c. evaluated the effectiveness of the issuer’s disclosure controls and procedures as of the end of the period covered by the annual filings and have caused the issuer to disclose in the annual MD&A our conclusions about the effectiveness of the disclosure controls and procedures as of the end of the period covered by the annual filings based on such evaluation; and

5. I have caused the issuer to disclose in the annual MD&A any change in the issuer’s internal control over financial reportingthat occurred during the issuer’s most recent interim period that has materially affected, or is reasonably likely to materiallyaffect, the issuer’s internal control over financial reporting.

SignatureTitleDate

�6 A�.Diagram illustrating the four phases of CEO/CFO certification and the annual certificate required in 2006

A2Where to Find More InformationSecurities Laws and Regulations — Canadawww.osc.gov.on.ca/Regulation/Rulemaking/rrn_index.jsp

Canadian Securities Administrators (CSA)Multilateral Instrument 52-109 Certification of Disclosure in Issuers Annual and Interim FilingsMultilateral Instrument 52-109CP Companion PolicyMultilateral Instrument 52-110 Audit CommitteesMultilateral Instrument 52-110CP Companion PolicyNational Policy 58-201 Corporate Governance GuidelinesNational Instrument 58-101 Disclosure of Corporate Governance ePracticesNational Policy 51-201 Disclosure StandardsNational Instrument 51-102 Continuous Disclosure ObligationsStaff Notice 52-311 Regarding Required Forms of Certificates under MI 52-109Staff Notice 52-313 Regarding Status of Proposed MI 52-111 and Proposed Amendments to MI 52-109

Amendments to the Securities Act (Ontario) and Regulation 1015 (as enacted in 2005 under Bill 198)

Securities Laws and Regulations — United Stateshttp://www.sarbanes-oxley.com/section.php?level=1&pub_id=Sarbanes-Oxley

United States Securities and Exchange Commission (SEC) www.sec.gov

—

—————

———

—

Appendix 2

��

http://www.osc.gov.on.ca/Regulation/Rulemaking/rrn_index.jsp

http://www.sarbanes-oxley.com/section.php?level=1&pub_id=Sarbanes-Oxley

http://www.sarbanes-oxley.com/section.php?level=1&pub_id=Sarbanes-Oxley

http://www.sec.gov


CICA Publicationswww.rmgb.ca

CEO and CFO Certification: Improving Transparency and Accountability20 Questions Directors Should Ask about Codes of Conduct20 Questions Directors Should Ask about Internal Audit20 Questions Directors Should Ask about IT20 Questions Directors Should Ask about MD&A20 Questions Directors Should Ask about Risk 2nd editionRisk Management: What Boards Should Expect from CFOsFinancial Aspects of Governance: What Boards Should Expect from CFOsIntegrity in the Spotlight: Audit Committees in a High Risk WorldLearning about Risk: Choices, Connections and CompetenciesGuidance on ControlGuidance on Assessing ControlUnderstanding Disclosure Controls and Procedures: Helping CEOs and CFOs Respond to the Need for Better DisclosureManagement’s Discussion and Analysis — Guidance on Preparation and DisclosureCICA Handbook — Assurance Recommendations

Other

International Federation of Accountants Internal Controls — A Review of Current Developments, Information

Paper, August 2006 www.ifac.org

The Committee of Sponsoring Organizations of the Treadway Commis-sion (COSO), USA Internal Control over Financial Reporting — Guidance for Smaller Public

Companies, 2006 Internal Control — Integrated Framework, 1992 www.coso.org

Public Company Accounting Oversight Board (PCAOB, USA) Auditing Standard No.2

Perspectives on Internal Control Reporting — A Resource for Financial Market Participants (Deloitte & Touche LLP, Ernst & Young LLP, KPMG LLP, PricewaterhouseCoopers LLP; USA, December 2004)

—————————————

—

—

�� A2. Where to Find More Information

http://www.rmgb.ca

http://www.ifac.org

http://www.coso.org

AuthorsJames L. Goodfellow, FCA, is a partner and vice chairman of Deloitte who advises boards of directors, audit committees, corporate executives and securities regulators in Canada and internationally on corporate reporting and governance related issues. He recently co-authored the book Integrity in the Spotlight: Audit Committees in a High Risk World.

He served as research director for the Joint Committee on Corporate Gover-nance, is a past chairman of the CICA Accounting Standards Board, and has served on the CICA’s Emerging Issues Committee. He is a past chairman of the CICA Canadian Performance Reporting Board.

He is a frequent speaker on issues related to financial reporting, corporate governance and audit committees. He believes strongly that the external audi-tor should be accountable to the board of directors and the audit committee as representatives of the shareholders, and that this repositioning of the audi-tor/client relationship can produce significant benefits to the effectiveness of the audit.

Jim Goodfellow has served on the board of directors of Deloitte and, in the past, served as the firm’s National Director of Accounting & Auditing. He is a senior partner responsible for providing services to some of his firm’s largest clients.

Alan D. Willis, CA, is an independent consultant in the fields of corporate governance, performance measurement and business reporting, with a par-ticular focus on the linkages of these topics with sustainable development and the business value of stakeholder relations. He directed the development of CICA’s guidance on MD&A preparation and disclosure and wrote the related briefing “20 Questions Directors Should Ask About Management’s Discus-sion and Analysis.” He co-authored CICA’s publication “Learning about Risk: Choices, Connections and Competencies.”

His first foray into the realm of corporate governance was writing a guid-ance booklet for audit committees and creating a documentary film about corporate directors in 1971. He observes that both would still be remarkably relevant today.

About the Authors

��


As a member of the International Corporate Governance Network, he serves on its Non-financial Business Reporting Committee. He has worked exten-sively with Canadian and international initiatives to develop performance indicators and reporting guidelines relevant to corporate management of and disclosure about climate change impacts, environmental performance and corporate social responsibility. He is currently engaged in a multi-disciplinary North American project on the design of a new corporate governance model for the 21st. century.

40 About the Authors

INTERNAL CONTROL 2006:THE NEXT WAVE OF CERTIFICATIONGuidance for Directors277 Wellington Street West Toronto, ON Canada M5V 3H2 Tel: 416-977-0748 www.rmgb.ca

Documents

Internal Control 2006: The Next Wave of Certification ... · dian Institute of Chartered Accountants commissioned this document to help boards and particularly audit committees to