Internal Control 2006: The Next Wave of Certification ... · The Role of the Audit Committee and External Auditors 47 ... The Next Wave of Certification— Guidance for Management

INTERNAL CONTROL 2006:THE NEXT WAVE OF CERTIFICATION

Guidance for Management

James L. Goodfellow and Alan D. Willis

INTERNAL CONTROL 2006:THE NEXT WAVE OF CERTIFICATION

Guidance for Management

James L. Goodfellow and Alan D. Willis

Copyright © 2006 The Canadian Institue of Chartered Accountants 277 Wellington Street West Toronto, Canada M5V 3H2

www.rmgb.ca

Disponible en français Printed in Canada

iii

Preface v

A. Introduction 1

B. The Four Phases of Certification 5

C. Relationship between ICFR and DC&P 7

Key Messages 9

D. ICFR and Stages in Business Growth 11

Key Messages 13

E. Developing an Approach for Certifying the Design of ICFR 15

Overall considerations 15

Using a control framework. 16

Preventive and detective controls. 16

Entity wide controls and process level controls. 16

Alignment with sub-certification processes. 17

Process for certifying the design of ICFR 18

F. Certification Process:Preparation Stage 19

1. Review relevant control information 19

2. Identify relevant control “systems”and material account balances 20

3. Identify major financial reporting risks 21

Key Message 22

G. Certification Process:Assessment Stage 23

4. Assess the quality of the control environment 23

Board responsibilities 24

Code of conduct 24

Whistle-blowing policy 25

TOCTable of Contents

iv Table of Contents

Internal Control 2006: The Next Wave of Certification — Guidance for Management

Compensation practices 25

Management’s philosophy and operating style 25

Board influence over the control environment in venture issuers 26

Key Messages 27

5. Assess the design of other entity level controls 27

Key Messages 31

6. Assess process level controls 32

Key Messages 35

H. Certification Process:Conclusions and Disclosure Stage 37

a. Review findings from assessments of ICFR design 37

b. Disclosure considerations and decisions 39

i. Categories of ICFR design weaknesses 39

ii. Materiality 39

iii. A decision tree on disclosure of material weaknesses 40

iv. Investigating the impact of ICFR design weaknesses 41

c. Disclosure examples 42

d. Deciding on disclosure of changes in ICFR 43

e. Uncorrected material weaknesses in ICFR 44

f. Issues for small companies 44

Key Messages 45

I. The Role of the Audit Committee and External Auditors 47

The responsibilities of the audit committee and board of directors 47

The responsibilities of the external auditor 48

Communication with the audit committee 50

Additional help from the external auditors 50

Key Messages 51

J. Readiness for the Fourth Phase of Certification 53

Appendix 1: Diagram illustrating the four phases of CEO/CFO certification and the annual certificate required in 2006 55

Appendix 2: MI 52-109 Definitions of Disclosure Controls and Procedures and Internal Control Over Financial Reporting 57

Appendix 3: Where to Find More Information 59

v

PrefaceThe Risk Management and Governance Board (the RMG Board) of the Cana-dian Institute of Chartered Accountants commissioned this document to help CEOs and CFOS to fulfill their responsibilities regarding external financial reporting, in particular Internal Control over Financial Reporting (ICFR) and the related CEO and CFO certifications that are effective in 2006.

The Canadian Securities Administrators’ (CSA) Multilateral Instrument 52-109, CEO and CFO Certification, requires CEOs and CFOs to include for the first time in their 2006 annual certificates statements about the design of internal control over financial reporting and related MD&A disclosures. This is in addition to the existing certifications that address disclosure controls and procedures (DC&P).

This publication, a companion document to Internal Control 2006: The Next Wave of Certification, Guidance for Directors, provides CEOs and CFOs (and other management) with a top-down, risk-based process to follow in certify-ing the design of ICFR, including a methodology for assessing ICFR design weaknesses and deciding on necessary disclosures.

This guidance combines control principles, concepts and practices derived from recognized internal control frameworks, guidance and contemporary literature about ICFR with fresh insights and proposals developed for these CICA publications. This guidance also complements existing CICA publica-tions about control, risk, corporate governance, disclosure and CFO respon-sibilities.

The guidance in both publications has been developed for TSX and venture issuers, since MI 52-109 applies to both. Small cap and venture issuers face special circumstances and control challenges. These are acknowledged and addressed to the extent possible at this time.

The RMG Board acknowledges and thanks members of the Directors Advi-sory Group for their advice, the authors — James L. Goodfellow, FCA, Vice Chair of Deloitte, and Alan Willis, CA, Alan Willis & Associates — and Hugh Miller for his editorial reviews and helpful suggestions.

Preface

Risk Management and Governance Board

Thomas Peddie, FCA, ChairDan Cornacchia, FCABrian Ferguson CAJohn Fraser, CAMichael Harris, CA Andrew J. MacDougall, LLBPeter W Roberts, CA, CPA (Illinois)Josee Santoni, CA

Directors Advisory GroupGiles Meikle, FCA, ChairJames Arnett, QCWilliam Dimma, F.ICD, ICD.DJohn Ferguson, FCAGordon Hall, FSA, ICD.DRobin KorthalsMary Mogford, F.ICD, ICD.DPatrick O’CallaghanRonald Osborne, FCAGuylaine Saucier, CM, FCA

CICA StaffWilliam Swirsky, FCA Vice President, Knowledge DevelopmentGigi Dawe Principal, Risk Management and Governance

vi Preface


The authors are responsible for the views expressed in this publication; it does not represent, amend or replace any professional standard nor does it con-stitute prescribed minimum requirements. CEOs and CFOs should consult their professional advisors on any matter about which they seek clarification, further information or guidance.

Tom Peddie, FCA Chair, Risk Management and Governance Board

AuthorsJames L. Goodfellow, FCA

Alan D. Willis, CA

EditorHugh Miller

Project DirectorGigi Dawe, Principal, CICA

vii

DedicationThis publication is dedicated to the memory of W.A. (Bill) Bradshaw, FCA (1928 – 2006) a partner, friend and mentor to the authors. Bill made many unique contributions to the Canadian accounting profession. Perhaps the most significant of these was the introduction of multi-disciplinary “systems” thinking to the topics of governance, risk, control and accountability. His thoughts and insights have been invaluable to us in all our work, not least in developing this guidance — a legacy for which we are deeply grateful.

Dedication

AIn their annual certificates for 2006, CEOs and CFOs will have to certify on the design of internal control over financial reporting. What steps can CEOs and CFOs take to prepare to make these new certifications? What are the implica-tions of any material weaknesses that are identified during the process?

BackgroundThe Canadian Securities Administrators’ (CSA) Multilateral Instrument 52-109, CEO and CFO Certification, requires CEOs and CFOs to certify in their 2006 annual certificates that they are responsible for establishing and main-taining both disclosure controls and procedures (DC&P) and internal control over financial reporting (ICFR), and that they have “designed such internal control over financial reporting…to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial state-ments for external purposes in accordance with the issuer’s GAAP.”

The CEO and CFO certificates are also required to state that “any change in the issuer’s internal control over financial reporting that occurred during the issuer’s most recent interim period that has materially affected, or is reasonably likely to materially affect, the issuer’s internal control over financial report-ing” is disclosed in the Management’s Discussion & Analysis (MD&A).

The CSA plans to further expand the CEO/CFO certification in the future to include a certification on the operating effectiveness of ICFR. Separate auditor attestation about ICFR is no longer expected under Canadian requirements.

In brief, this publication provides an overview of the four phases of CSA’s certification requirements and the relationship between ICFR and DC&P, followed by a short discussion of the relevance of the stages in a company’s growth to the design of ICFR. It proposes a top-down, risk-based process for CEOs and CFOs to follow in order to assess the design of ICFR and deciding what internal and external disclosures are necessary to report their findings and conclusions. The roles of audit committees and external auditors regard-ing ICFR and related certification are discussed. Finally some conclusions and issues are presented about readiness for the fourth phase of certification. Appendix 1 provides a diagram of the four phases of CEO/CFO certification

Introduction

�


and the annual certificate required in 2006. Appendix 2 sets out the CSA defi-nitions of ICFR and DC&P. Appendix 3 shows where to find more informa-tion about topics referred to in this publication.

Responsibility for internal controlThe CSA’s corporate governance guidelines state that boards should be respon-sible for the issuer’s internal control and management information systems.1 In practice, the board of directors delegates to management the responsibility for designing and implementing a system of internal control, including those elements that constitute ICFR.

Internal control is widely taken to mean the processes established by manage-ment to provide reasonable assurance about achievement of the organization’s objectives regarding operations, reporting and compliance. Internal control is designed to address identified risks that threaten any of those objectives. The CSA definition of internal control over financial reporting specifies objectives relevant to financial reporting.

The CEO’s and CFO’s attitudes about and approach to the certification process send a clear signal to the entire organization. When CEOs make the process a top priority and provide active leadership to it, the people who prepare finan-cial reports, accounting estimates and financial disclosures will also make quality financial reporting a priority. Moreover, CEOs and CFOs might view the relative costs of implementing sound ICFR as outweighing the adverse impact of rectifying problems after they have become a market issue, not to mention the effect of damage to the reputations of the enterprise, its directors and officers.

While this publication is directed primarily to assist CEOs and CFOs, it also aims to assist other members of management involved in the certification and reporting process who need guidance on certifying the design of ICFR in time for the 2006 annual filings. Accordingly we frequently use the term “manage-ment” throughout the publication.

Implications for small issuersCertifying the design of ICFR is no small task, especially for a small company. Venture issuers are not exempt from the ICFR design certification require-ment, yet there are important practical considerations for them to address that arise from the smaller size of many venture issuers. Corporate governance and audit committee practices for venture issuers may be less well developed than those in larger, non-venture issuers, partly reflecting differences in applicable CSA governance and audit committee requirements. Financial management functions and staffing may also be more limited in scale and capability in small cap and venture issues.

These practical considerations for small and venture issuers are acknowledged and addressed to the extent possible in relevant parts of this document. The June 2006 US COSO publication Internal Control over Financial Report-ing — Guidance for Smaller Public Companies may be of some assistance to small cap issuers, although “smaller public companies” in the US are often large compared to “smaller” Canadian public companies.

1 CSA National Policy 58-201, Corporate Governance Guidelines, item 3.4

2 A. Introduction


Some small issuers may face a special challenge: the new requirement for 2006 calls for certification as to the effectiveness of ICFR design, yet the lack of personnel and financial resources for many of these issuers may result in material weaknesses in ICFR — weaknesses that cannot be readily corrected in a cost-effective way. This could preclude them from providing the required certification about ICFR design, thus also preventing them from signing and filing the full certificate (since no amendments to certificates are permitted). How this situation may be dealt with and disclosed is an important issue that is discussed later in this publication.

Boards of directors and audit committeesThe certification requirements raise important questions for audit commit-tees and boards of directors. What is their role in the process? What exposure would result if it was determined that a weakness existed in the design of ICFR after it had been certified by the CEO and CFO and not mentioned in the board-approved MD&A? What exposure would result if material accounting errors are discovered after the documents are filed, as well as the CEO’s and CFO’s certification of the design of ICFR, but with no weaknesses reported in the MD&A, which the audit committee had reviewed and the board of direc-tors approved?

A shorter companion publication is directed at the oversight needs and respon-sibilities of audit committees and boards of directors. The companion publica-tion places special emphasis on the role of the board of directors regarding the organization’s overall control environment and “tone at the top,” which have an overarching influence on ICFR. Audit committees or boards of directors seeking more detailed information on specific aspects of the process followed by CEOs and CFOs in preparing to certify the design of ICFR should refer to this publication.

� A. Introduction

BMultilateral Instrument 52-109, CEO and CFO Certification was issued in 2004 and contains requirements similar to the US SOX-related certification rules, issued by the Securities and Exchange Commission (SEC). Since 2005, MI 52-109 has applied to all reporting issuers,3 although Canadian issuers that are also SEC registrants may use the certifications they prepare for US purposes to satisfy the Canadian requirements. There are no exemptions for venture issuers, unlike those provided to companies listed on the TSX Ven-ture Exchange for certain audit committee requirements and corporate gov-ernance disclosures.

The CEO and CFO certification requirements are being implemented in four phases, each of which builds on the previous one and expands the scope of the certification.

The first phase, introduced in 2004, required chief executive officers and chief financial officers of reporting issuers to personally certify that, based on their knowledge, the financial statements and other financial information contained in their annual and quarterly filings “fairly present in all material respects the financial condition, results of operation and cash flows” of the company. This was known as the “bare” certificate.

In the second phase, which became effective in 2005, CEOs and CFOs were also required to certify that they had designed disclosure controls and pro-cedures to provide reasonable assurance that material information relating to the issuer, including its consolidated subsidiaries, is made known to them by others within those entities. It also required CEOs and CFOs to certify that they had evaluated the effectiveness of the issuer’s disclosure controls and procedures as of the end of the period covered by the annual filings and had caused the issuer to disclose in the annual MD&A their conclusions about the effectiveness of the disclosure controls and procedures.

3 When MI 52-109 originally came into effect in 2004, it was not applicable in BC or Quebec.

The Four Phases of Certification

�


2006 marks the introduction of the third phase of the certification. CEOs and CFOs are now required to add the following (italicized) additional certifica-tions to their annual certificates4:

The issuer’s other certifying officers and I are responsible for establishing and maintaining disclosure controls and procedures and internal control over financial reporting for the issuer, and we have:

(b) designed such internal control over financial reporting, or caused it to be designed under our supervision, to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial state-ments for external purposes in accordance with the issuer’s GAAP;

and

I have caused the issuer to disclose in the annual MD&A any change in the issuer’s internal control over financial reporting that occurred during the issuer’s most recent interim period that has materially affected, or is reason-ably likely to materially affect, the issuer’s internal control over financial reporting.

The fourth phase of CEO/CFO certification has not yet been finalized, but will be introduced, at the earliest, in 2007. The CSA has indicated that this phase will require CEOs and CFOs to certify that they have evaluated the effective-ness of ICFR and disclosed the conclusions of their evaluation in the issuer’s annual MD&A. Unlike the U.S. requirements, CEOs and CFOs will not have to issue a separate management report on internal control, nor will they be required to obtain the external auditor’s opinion of management’s assessment of the effectiveness of internal control or the auditor’s own assessment of the effectiveness of internal control.

The CSA is currently revising MI 52-109 to reflect these proposals, which it is expected to release for public comment in the fall of 2006.

4 CSA Staff Notice 52-311, Dec. 2005. A copy of the certificate for 2006 is provided in Appen-dix 1 together with a diagram illustrating the four phases of certification.

•

•

6 B. The Four Phases of Certification

CThe CEO/CFO certification requirements contain two control concepts — dis-closure controls and procedures (DC&P) and internal control over financial reporting (ICFR)6.

Reporting issuers make two types of public disclosures. One type is the information contained in documents they are required to file with the secu-rities regulators (including the interim and annual financial statements and MD&As). The other type includes other voluntary disclosures made in oral or written statements.

The CSA’s definition of ICFR relates to the reliability of financial reporting, focusing in particular on controls over the information contained in the interim and quarterly financial statements. Under the CSA definition, the purpose of ICFR is to provide reasonable assurance that:

financial statements prepared for external purposes are in accordance with the issuer’s GAAPtransactions are recorded as necessary to permit the preparation of finan-cial statements, and records are maintained in reasonable detailreceipts and expenditures of the issuer are made only in accordance with authorizations of the issuer’s management and directors, andunauthorized acquisitions, uses or dispositions of the issuer’s assets that could have a material effect on the financial statements will be prevented or detected in order to prevent material error in annual or interim financial statements.

For the purpose of ICFR design certifications (and related MD&A disclo-sures), ICFR should, in our interpretation of the CSA definitions, be regarded as an element or sub-set of DC&P.7 This means any material weakness in the

6 See Appendix 2 for CSA definitions of DC&P and ICFR.7 This interpretation is consistent with that expressed in Appendix III of “Perspectives on

Internal Control Reporting”, December 2004, by Deloitte & Touche LLP, Ernst & Young LLP, KPMG LLP and PricewaterhouseCoopers LLP (USA). Part 6 of the Companion Policy to MI 52-109 also discusses this matter, indicating substantial but not complete overlap of DC&P over ICFR.

•

•

•

•

Relationship between ICFR and DC&P

�


design (or operating) effectiveness of ICFR should be disclosed in the MD&A, as would any other weakness identified in management’s conclusions about the effectiveness of DC&P.

The following diagram illustrates the relationship between an organization’s overall control structure, its disclosure controls and procedures and its inter-nal control over financial reporting. The diagram is intended to illustrate that ICFR is narrower than DC&P, which, in turn, is more restricted than

the controls over all public disclosures, and they, in turn, are less encompass-ing than the total set of controls within an organization to help it achieve its objectives.

The relationship between disclosure controls and civil liability for disclosures in the secondary market is important. Directors, officers and issuers are enti-tled to a due diligence defence, which would include placing reliance on the issuer’s disclosure system and controls, providing they have conducted a rea-sonable investigation to support such reliance. The CEO and CFO certifica-tions, and the process the CEO and CFO follow to support their certifications, would be an important component of such a defence.

The CEO and CFO certifications contemplated by MI 52-109 address only controls over documents that are required to be filed with a securities regula-tor. Audit committees or boards of directors that want to rely on disclosure controls over other voluntary disclosures (e.g., annual reports or conference calls with analysts) must ensure that the controls over these disclosures are either included in the CEO/CFO certification process or are evaluated in some other manner.

Overall BusinessControl Structure

Disclosure Controls andProcedures (DC&P) perMI 52-109 Definition

Internal Controls overinformation containedin annual and quarterlyfinancial statements(ICFR) per MI 52-109Definition

Categories of Control

Controls over informationcontained in other publicdisclosures

� C. Relationship Between ICFR and DC&P


Key MessagesDisclosure controls and procedures (DC&P) and internal control over financial reporting (ICFR) are defined terms in MI 52-109. The CSA definition of ICFR focuses on the financial statement component of financial reporting.

Material weaknesses in the design of ICFR should be disclosed in the MD&A in a manner similar to the disclosure of material weaknesses in DC&P.

In light of Ontario’s civil liability legislation, issuers may wish to expand their operational definition of DC&P to include all public disclosures and not just information contained in documents that are required to be filed with a securi-ties regulator.

•

•

•

� C. Relationship Between ICFR and DC&P

DICFR is not just about satisfying the financial reporting requirements of secu-rities regulators. A well designed ICFR system provides reasonable assurance that assets are safeguarded, and that accurate and reliable financial informa-tion and performance measures are reported on a timely basis to decision makers. In short, a well designed ICFR contributes to the enterprise’s ability to make decisions to help it achieve its business objectives, including those regarding competitive advantage and long term development. Weak ICFR is not just a financial reporting risk, it may represent a principal risk to the orga-nization and the achievement of its overall business objectives.

To meet these business objectives, ICFR must address the challenges, oppor-tunities and risks the business faces as it competes for market share, custom-ers, people and capital in its industry. Because these challenges and risks are different at the various stages of a company’s evolution, the required approach to ICFR will also differ.

At a given point in time, a company is typically in one of the following five stages of growth:

Start-up/Exploration

Rapid growth

Maturity

Transformation

Decline

Management must ensure that the design of ICFR addresses the risks related to each growth stage and is appropriately modified as the company transitions from one stage to another.

�. Start Up/Exploration.These companies typically have yet to establish the markets or customer bases to generate sustained profits and cash flows. They often lack strong accounting and financial capabilities, and must closely monitor and project cash flows to protect against burning through the capital provided by the owners and

1.

2.

3.

4.

5.

ICFR and Stages in Business Growth

��


raised in the Initial Public Offering. Their ICFR design issues relate to basic accounting, tax and cash flow management, and minimizing the potential for management override of controls by the CEO and/or controlling shareholder, who may still attempt to run the business as if it were a private company.

2. Rapid Growth.Keeping pace with double digit growth and struggling to supply sufficient product to keep up with customer demand are just some of the challenges fac-ing these companies, which often must address a range of issues demanding time and money that stress their management and accounting systems. Their ICFR design issues include the need to acquire the accounting capabilities to keep pace with, and catch up to, revenue growth and acquisition programs. Because it takes significant time and resources to implement these capabilities – which compete with the time and resources needed to keep up with cus-tomer demand -- the ICFR design solution is often to leave things as they are, or put in place “spread sheet interfaces” and other “workarounds.”

�. Maturity.These solidly profitable companies with significant market share, loyal cus-tomers, a sizeable work force, good cash flow and routine business opera-tions usually have several layers of management and a number of policies and business processes. Often, management attempts to flatten its management structure and streamline processes through automation and outsourcing to enhance productivity and improve shareholder returns. These businesses may also be spun off into structures such as income trusts, which create their own financial reporting challenges.

Mature companies’ ICFR design issues often relate to establishing effective entity level controls, enterprise risk management programs, accountabilities, and redesigning process controls to improve efficiency. In large mature orga-nizations, ICFR can become overly bureaucratic, procedure driven and pro-vide a false sense of comfort with respect to ICFR effectiveness. There is a risk that process redesign and reengineering programs will result in management losing control of their billing, costing and accounting systems, which high-light important ICFR design considerations in areas such as revenue recogni-tion or loss provisions. Multi-location and international operations, as well as the decentralization of operations and information systems may present further ICFR challenges.

4. Transformation.Should revenue growth level off and customers’ loyalty wane, companies will either reinvent themselves to get on a new “growth curve” or fall into a fur-ther stage of decline. Entering into new markets often requires considerable entrepreneurial skills and agility, so many larger mature organizations will accomplish their transformations through joint ventures, new investors and strategic partnership arrangements.

The implications for ICFR design in these companies are significant. Trans-formation is much more than the re-engineering of a business process or processes. The risks must be clearly understood. ICFR must be designed to maintain management control during the transformation process, and ensure that financial reporting, including key performance metrics, is accurate and

�2 D. ICFR and Stages in Business Growth


reliable no matter how bad the results may be. The documentation of and adherence to both new and pre-existing policies and controls may be another issue to address.

�. Decline.Companies with falling sales and profits and negative cash flow often reduce their workforces and cut programs in an attempt to restore profitability and cash flow, and alleviate the concerns of investors and analysts. These com-panies must balance their ICFR needs with the business’s need to cut its cost structure. Too often, though, cost cutting programs also impair the effective-ness of ICFR and reduce institutional memory and weaken the capability to produce reliable financial reporting.

Key MessagesBusinesses are not static, but are continually changing and evolving. ICFR must change as business changes from one growth cycle to another.

The design of ICFR that is appropriate to one growth cycle may not be effective in another. For example, the ICFR design for a large mature organization is not appropriate for a start-up; similarly, the design of ICFR in a start-up enterprise will need to change as revenue and business grow.

Understanding where the business is on the growth cycle will help CEOs, CFOs and audit committees assess risks and determine the key issues that must be addressed in ICFR design.

In larger companies, operating subsidiaries and business units may be in differ-ent stages in the growth cycle, which further complicates ICFR design.

•

•

•

•

�� D. ICFR and Stages in Business Growth

EIn 2006, CEOs and CFOs are required to assess the design of ICFR, but not its operating effectiveness. It is difficult to fully assess “design” without also con-sidering “operating effectiveness.” History is full of examples of grand designs that never worked in practice (many elaborate, early concepts for man-pow-ered flight, for example). Therefore, CEOs and CFOs must adopt an organized, disciplined and documented process for assessing the design of ICFR to sup-port their certification. It is advisable for the audit committee to review and approve this process at the outset, since the conclusions on DC&P, including those about the design of ICFR and any material changes in ICFR during the preceding quarter, will need to be disclosed in the MD&A.

Overall considerationsManagement should begin their approach to certification about ICFR design by developing a methodology whereby the nature, extent and timing of the steps in the process are based on principal financial reporting and disclosure risks and enable management to draw reliable conclusions about the design of ICFR. It is also useful to bear in mind the four objectives of ICFR as discussed earlier. Some factors to consider are:

The assessment should be “top down” and “risk based” to ensure that the focus is on the important financial reporting and disclosure risks and issues.

CEOs should play, and be seen to play, an active role in the process — help-ing set priorities and areas of focus, attending key meetings and participat-ing in decisions about the assessment of findings and required disclosures, including those in the MD&A. The CEO’s active involvement signals to the entire organization that ICFR and the design certification are important and helps ensure that the “tone at the top” is reflected in the approach to ICFR. CEOs also bring perspective, insight and judgment to the process that help ensure that ICFR is aligned with core business processes, includ-ing risk management, the use of key performance indicators to monitor operational and financial results, and continuous improvement in business processes and IT.

•

•

Developing an Approach for Certifying the Design of ICFR

��


Management should develop and document their assessment approach, which should include some level of testing (see the discussion on controls that mitigate key financial reporting risks),

Where possible, the assessment process should not be a stand alone pro-cess. It should be integrated with management’s ongoing control monitor-ing activities and anticipate the future need for management’s evaluation of and certification about ICFR effectiveness.

The CEO and CFO should inform the audit committee about their approach and process and involve the audit committee where appropriate, such as obtaining its comments on the proposed ICFR design certification process at the outset.

Designing effective ICFR is not a mechanical process and, consequently, cer-tifying its design cannot be performed in a mechanistic manner. The goal is to assess whether there is an appropriate mix of controls that work effectively together to achieve the objectives of ICFR set out in MI 52-109. Other impor-tant issues for CEOs and CFOs to consider as they plan their approach to assessing the design of ICFR include:

Using a control framework.The CSA leave the decision to use a control framework to the CEO and CFO. There are benefits to adopting a recognized control framework, particularly when CEOs and CFOs will also have to certify on the operating effectiveness of ICFR. COSO’s 1992 Internal Control — Integrated Framework is the most commonly used framework; smaller issuers should consider COSO’s “Internal Control over Financial Reporting — Guidance for Smaller Public Companies” (June 2006). The CICA’s 1995 Guidance on Control (CoCo) provides another recognized framework of control criteria.

Preventive and detective controls.There are two types of controls: those that prevent errors from occurring (e.g., accounting policies, safeguarding of assets) and those that monitor perfor-mance and detect errors that have occurred (e.g., internal audit, review of reconciliations, monitoring of financial performance against budgets). An effective ICFR should achieve a balance between preventive and detective controls.

Entity wide controls and process level controls.Effective ICFR must balance preventive and detective controls at the entity level with those at the process level.

•

•

•

�6 E. Developing an Approach for Certifying the Design of ICFR


Alignment with sub-certification processes.For DC&P purposes, many larger companies have established sub-certifica-tion processes, whereby the direct reports to the CEO and CFO provide for-mal certifications to them on the:

completeness and accuracy of the financial information pertaining to their areas of responsibility, andeffectiveness of disclosure controls and procedures.

Larger organizations should consider whether this process should include sub-certifications from those business unit and finance executives who have important responsibilities in the financial reporting process.

Sub-certifications by junior officers and managers are not a substitute for the CEO’s and CFO’s own diligence and knowledge, nor for ensuring that the company has effective DC&P and ICFR. However, a well designed sub-certifi-cation process that encompasses DC&P and the design of ICFR can add disci-pline to the financial reporting and disclosure process, positively reinforce the need for effective ICFR and help sustain a corporate culture that places a high value on accurate and timely financial reporting and disclosure. It can also form the backbone of an accountability system for financial reporting.

Perhaps the most useful benefit of a well designed sub-certification process is the opportunity it provides for CEOs and CFOs to engage business unit lead-ers in the financial reporting process, thereby helping those leaders to better understand the importance of risk management and effective control and, in so doing, better manage their business units.

To be effective, sub-certification processes should cover and be aligned with all of the issuer’s control systems and business units and should:

include a review of how the senior business and finance leaders of each busi-ness unit and “control system” satisfy themselves that the design of ICFR in their area of responsibility provides reasonable assurance of attaining the four key objectives of ICFRbe integrated with the management reporting and accountability struc-tures through which senior management monitors performance and man-ages the business and financial riskseducate the people involved in the sub-certification process regarding its purpose and their responsibilities, andsupport a culture of openness and trust that enables people to raise issues (e.g. potential ICFR design weaknesses) or questions without fear of criti-cism or reprisal.

CEOs and CFOs who follow the process suggested below, and document how it was applied, will have a demonstrable, reasonable basis for providing the certifications they are required to make concerning the design of ICFR.

•

•

•

•

•

•

�� E. Developing an Approach for Certifying the Design of ICFR


Process for certifying the design of ICFRThe following chart outlines a seven-step process that CEOs and CFOs may choose to follow for certifying the design of ICFR. The steps are discussed in detail in sections F, G and H.

7

1 Review Relevant ControlInformation

Identify Relevant ControlSystems and Material Account Balances

Review Principal Financial Reportingand Disclosure Risks

Assess Control Environment

Assess Other Entity Level Controls

Assess Findings, Form Conclusionsand Make Disclosures

PreparationStage

Assessment ofDesign Stage

Conclusions andDisclosure Stage

Process for Certifying the Design of ICFR

2345

ProcessControl A

6Process

Control B6

ProcessControl C

6Process

Control D6

ProcessControl E

6Process

Control F6

ProcessControl G

6

�� E. Developing an Approach for Certifying the Design of ICFR

FBefore they can begin assessing the design of ICFR, management should first:

review relevant control informationidentify relevant controls systems and account balances, andreview principal financial reporting and disclosure risks.

�. Review relevant control informationThe first step is to collect control information to help identify areas where design weaknesses in ICFR might exist. A survey of US companies reporting on ICFR under SOX 404 found that “indicators” of a material weakness in ICFR included:8

restatements of previously issued financialsmaterial audit adjustmentsineffective audit committeeineffective internal audit or risk assessment functionineffective regulatory compliance functionfraud of any magnitude by senior management, andfailure to timely correct significant deficiencies.

Areas where significant deficiencies in ICFR occurred included:

selection and application of accounting policiesantifraud programs and controlsnon-routine and nonsystematic transactions, andperiod end financial reporting process, including journal entries.

8 Identified in a study of SEC registrants’ public disclosures conducted by the Ives Group for Deloitte & Touche LLP.

•••

•••••••

••••

Certification Process: Preparation Stage

Review Relevant ControlInformation



PreparationStage

23

��


It is also informative to review the areas of weaknesses identified in the SOX 404 ICFR reporting (percentages represent the proportion of companies reporting the weakness):9

tax accruals, deferrals etc. 31.8%revenue recognition 31.1inventory/vendor cost of sales 27.2fixed/intangible assets 18.5leases or contingencies 16.6depreciation/amortization 12.6consolidation/Variable Interest Entities 8.9

An analysis of these weaknesses found they related to:material year end adjustments 52.6%restatements of financials 49.2personnel issues 47.7segregation of duties 21.0IT processing, access issues 20.7internal audit issues 2.5

Other sources of information to consider to help identify areas that might indicate ICFR design weaknesses include:

reports by internal auditmanagement letters and audit committee communications provided by the external auditorserrors detected by both management and the external auditors in the finan-cial statement preparation and closing process — irrespective of whether these errors were subsequently correctedcommunications from regulators, for example concerns expressed in con-tinuous disclosure reviews, andcommunications received from employees and others, e.g. as a result of the whistle blowing process

2. Identify relevant control “systems” and material account balances.It helps to decompose ICFR into meaningful sub-categories. These sub-cat-egories may include the principal processing and accounting systems, includ-ing the related material account balances, to which particular process level controls apply, within the context of the control environment and other entity level controls. A typical set of accounting systems would include:

financial statement closing and preparation processrevenue recognition, receivables and receiptspurchases, payables and paymentspayrollcapital expenditures, acquisitions and disposals, andfinance and treasury.

9 From a study conducted by Audit Analytics of 629 companies that reported material weak-nesses in the first year of SOX 404. The study was published in Section 404 Internal Control Material Weaknesses Dashboard — Results for the first full year of Section 404 disclosures, April, 2006

•••••••

••••••

••

•

•

•

••••••




PreparationStage

3

20 F. Certification Process: Preparation Stage


Reporting issuers are required to prepare their financial statements on a con-solidated basis under the issuer’s GAAP. Therefore, the certification of DC&P and ICFR will include subsidiaries whose financial statements are included in the consolidated financial statements. Larger companies whose accounting systems vary by subsidiary will need to separately consider each subsidiary’s accounting system, where the subsidiary may be material relative to the issu-er’s financial reporting.

CEOs and CFOs of issuers that consolidate their financial results and MD&A with those of a subsidiary that is also a reporting issuer need to determine the level of due diligence required in respect of the consolidate subsidiary in order for them to provide the issuer’s certification.10

In smaller companies, the accounting systems to be assessed are likely to be more obvious and straight forward.

�. Identify major financial reporting risksICFR should provide reasonable assurance that significant financial report-ing and other financial disclosure risks are effectively controlled, and will not produce misleading accounting results or disclosures. Therefore, the next step in preparing to certify the design of ICFR is to identify the major finan-cial reporting risks that are to be considered at each step in the assessment stage, including the final stage where findings are assessed and conclusions are formed.

Boards of directors have a responsibility for the identification of the princi-pal risks of the issuer’s business, including principal financial reporting and disclosure risks, and ensuring the implementation of appropriate systems to manage these risks.11

Entity-level management processes for identifying and addressing principal business risks should include financial reporting and disclosure risks since these can have serious adverse consequences to the issuer. Investor confidence and market reputation are sensitive to disclosure and reporting deficiencies and uncertainties. Enterprise risk management as an integrative manage-ment system can enhance management’s ability to identify, view and assess the potential impact of financial reporting and disclosure risks from a “top-down” strategic perspective, not just at the level of business processes and transaction processing.

A robust process for identifying financial reporting and disclosure risks enables CEOs and CFOs to focus on the areas of greatest potential for finan-cial reporting errors and omissions and, for each identified control “system,” assess whether the design of ICFR is likely to reduce these risks to an accept-able level. If a company does not have a robust process for identifying princi-pal business risks, then it should consider establishing one to ensure, among other things, that its ICFR will address financial reporting risks. A significant financial reporting risk that is not adequately addressed by the issuer’s ICFR would likely constitute a design weakness.

10 Companion Policy to MI 52-10911 CSA NP 58-201, 3.4




PreparationStage

2� F. Certification Process: Preparation Stage


The bottom line is this: CEOs and CFOs need to have a reasonable, support-able and documented basis for concluding whether the controls that comprise ICFR address all major financial reporting and disclosure risks. Any such risk that is not addressed will represent a significant, even material, weakness in ICFR and, therefore, in DC&P.

CEOs, CFOs and management may wish to take the following steps to assess whether the design of ICFR adequately reduces key financial reporting risks to an acceptable level:

identify the key controls that address the identified financial reporting risksassess and form judgments as to whether these controls are likely to pro-vide reasonable assurance for the mitigation of these risks; in making its assessment, management should consider the control related information obtained, and past experience, andconduct a walkthrough or “test of one” for all key controls to assess whether the control has been placed into operation.

Key MessageCEOs and CFOs should determine whether the principal disclosure and financial reporting risks have been identified. At the end of the design certification pro-cess, they should also determine whether those risks are adequately addressed by controls to reduce to an acceptable level their potential to prevent achieve-ment of the four objectives of ICFR.

•

•

•

•

22 F. Certification Process: Preparation Stage

GThe next steps in the process involve utilizing the information collected in the preparation stage to assess the quality of:

the overall control environmentall other entity level controls, andrelevant process level controls.

4. Assess the quality of the control environmentRecent high-profile accounting scandals and convictions of CEOs demon-strate that effective ICFR ultimately depends on the integrity of the CEO and a culture of integrity within the organization. These are critical aspects of the control environment, often referred to as the “tone at the top.” The control environment is directly impacted by the board’s expectations for business conduct, which, in accordance with sound corporate governance principles and practices, are first shaped in the boardroom, and then communicated to the rest of the organization, thus setting the context for all other business controls, including ICFR.

The following diagram illustrates the linkage of corporate governance with control and ICFR.

•••

Certification Process: Assessment Stage




ProcessControl A

ProcessControl B

ProcessControl C

ProcessControl D

ProcessControl E

ProcessControl F

ProcessControl G

2�


A recent international review of current developments in and convergence of thinking about internal control states:

The importance of the tone at the top and the culture and ethical frame-work throughout the organization is fully acknowledged and considered essential to the successful implementation of an internal control system.12

The CEO’s and CFO’s assessment of the control environment should also be reviewed by the audit committee and board as part of their oversight of the certification process. The five elements to consider in assessing the control environment are discussed below.

Board responsibilitiesRecognized corporate governance principles and practices embedded in CSA guidelines and disclosure requirements emphasize the board’s role in formulating, communicating and monitoring their expectations about busi-ness conduct. These guidelines state that the board’s mandate should include a statement of responsibility for the issuer’s internal control and management information systems13. The guidelines further state that the board should sat-isfy itself regarding the integrity of the CEO and other executive officers, and the CEO’s and other executive officers’ efforts to create a culture of integrity throughout the organization.

The “tone at the top” cannot be “designed” in the same sense as operational or financial policies and procedures. The board, the CEO and senior manage-ment can, however, put in place the fundamental principles and expectations to shape the control environment and create a culture of integrity, which is normally reinforced by the example set by the CEO and senior management.

The potential for the CEO, CFO and/or controlling shareholder to override controls is also a risk that depends, to a great extent, on the control environ-ment, particularly the objectives the board sets for the CEO and the board’s monitoring of the CEO’s performance.

Code of conductThe board can communicate its expectations for corporate behaviour through a code of business conduct and ethics. The CSA calls for all boards to adopt a written code of business conduct and ethics, and to monitor compliance with the code.14 TSX-listed companies are also required to make disclosures about their adoption and monitoring of such a code.15

The failure to adopt and monitor compliance with a code of business conduct does not automatically create an ICFR “design weakness.” It does, however, in our view, create a likelihood of such a weakness, which may be mitigated by other specific procedures or actions taken by the board and senior manage-ment.

12 International Federation of Accountants Information Paper, August, 2006, Internal Con-trols — A Review of Current Developments, page 14

13 National Policy 58-201 Corporate Governance Guidelines, item 3.414 CSA NP 58-201, Corporate Governance Guidelines, items 3.8 & 3.915 CSA NI 58-101, Disclosure of Corporate Governance Practices, Form 58-101, item 5

24 G. Certification Process: Assessment Stage


Whistle-blowing policyMultilateral Instrument 52-110, Audit Committees, states that:

(7) An audit committee must establish procedures for:

(a) the receipt, retention and treatment of complaints received by the issuer regarding accounting, internal accounting controls, or auditing matters; and

(b) the confidential, anonymous submission by employees of the issuer of concerns regarding questionable accounting or auditing matters

“Whistle blowing” procedures provide audit committees and boards with information on the control environment, and the policies that help shape it. Again, failing to establish effective “whistle blowing” procedures would not automatically create a “design weakness,” but would probably create the like-lihood of one, which may be mitigated by specific procedures or actions taken by the board and senior management.

Compensation practicesThe control environment and senior management’s behaviour can be severely impacted when compensation schemes reward the wrong behaviours (e.g., motivating senior management to override ICFR in order to misstate financial results).

The board, through its compensation committee, is expected to take responsi-bility for executive compensation, which would include ensuring that execu-tive compensation programs support and reward behaviour consistent with the code of business conduct and ethics, and board-approved corporate goals and objectives for the CEO.16

Management’s philosophy and operating styleThe preceding factors contribute to the “tone at the top” which in turn has a major impact on the CEO’s and senior executives’ management philosophy and operating style, including their:

approach to taking and monitoring business risks, including those related to disclosure and financial reportingattitudes and actions concerning financial reporting and disclosureemphasis on meeting shorter term budget, profit, and other financial and operating goals, andfocus on longer term business development and value creation.

The degree to which these factors are aligned with board-approved corpo-rate goals, objectives and strategy influences management’s philosophy and operating style. That philosophy and operating style is the interface between the board’s expectations and the control environment, and the expectations communicated to employees about control and the conduct of business. It, therefore, has a significant influence over the effectiveness of other entity level and process level controls relevant to ICFR.

The control environment has an overarching, pervasive impact on other entity level and process level controls, including ICFR. Because the CEO and the CFO are themselves key actors within and influencers of the control environ-

16 CSA NP 58-201, Corporate Governance Guidelines, items 3.15 – 3.17.

•

••

•

2� G. Certification Process: Assessment Stage


ment, their assessment of the control environment and culture of integrity is unavoidably subjective — and, some might suggest, questionable. This pres-ents a challenge for the CEO and CFO in their certification of the design of ICFR, since they are in effect called upon to assess their own ethics, business conduct and “culture of integrity.” The dialogue between the CEO and CFO and the audit committee will be an important feature in reaching a balanced, objective assessment of the control environment and its effectiveness relative to the design (and later operation) of ICFR.

Board influence over the control environment in venture issuersWhat the board of directors of a venture issuer can reasonably be expected to do in shaping the control environment and “tone at the top” and the means available to it to carry out those tasks deserve special attention.

NP 58-201 sets out corporate governance guidelines applicable to all report-ing issuers. However, the instrument clearly acknowledges the need to “be sensitive to the realities of the greater numbers of small companies…in the Canadian corporate landscape”, and recognizes that “corporate governance is evolving.” Further, NI 58-101, Disclosure of Corporate Governance Practices, imposes more comprehensive disclosure requirements on non-venture issu-ers, mirroring the content of NP 58-201, than it does on venture issuers.

MI 52-110, Audit Committees, similarly acknowledges that the boardrooms and governance practices of venture issuers can be very different from those of non-venture issuers. It provides exemptions for venture issuers about audit committee composition (including independence and financial literacy) and disclosure requirements. There are, however, no exemptions for venture issu-ers regarding audit committee responsibilities, including the need for the audit committee to establish “whistle blower” procedures.

Given these circumstances, how should the board of a venture issuer respond? Two possible scenarios can be considered. In one, the board may choose to adopt corporate governance best practices relevant to the organization’s size and stage of growth, and do its best to influence the tone at the top, provide oversight of the CEO and foster management integrity. This, in turn, will strengthen key entity level controls and the company’s general “control con-sciousness.” Together, these activities may compensate for possible shortcom-ings in process level controls, such as the segregation of duties, that may be difficult or impossible to implement in a small company. This approach might suggest less risk and higher quality of management to analysts and investors.

In the second scenario, the board and audit committee may choose to focus only on complying with those governance practices contained in NI 58-101 and MI 52-110 that are directly applicable to venture issuers. As a result, the board might be less effective in setting expectations for “tone at the top” and providing oversight of the CEO, which, in turn, would be less likely to signal the importance of integrity in business conduct and disclosure. This could cre-ate a weak control environment, leaving the door open to undetected errors, undesirable business conduct, unreliable or misleading financial reporting and even management override of process level controls. This approach might indicate greater risk and lower quality of management to analysts and investors.

26 G. Certification Process: Assessment Stage


The CEO’s and CFO’s assessment of the control environment should be a key topic for enquiry by audit committees of both venture issuers and non-venture issuers if financial reporting risk is to be realistically assessed.

Key MessagesThe control environment is shaped by the expectations set by the board and the “tone at the top” established by the CEO and senior management. It has a lot to do with the integrity of the CEO, other executive officers and their commitment to ethical behaviour.

The establishment of a board approved and monitored written code of business conduct and ethics is an important feature of the control environment

Weaknesses in either the code of business and ethics or monitoring compli-ance with the code would create the likelihood of a material design weakness in ICFR.

Assessing the control environment’s “design” by CEOs and CFOs is more sub-jective than assessing the design of other entity level and process level detailed control policies and procedures.

Audit committees and boards should ensure that the CEO’s and CFO’s assess-ment of the control environment is consistent with the information obtained through the board’s monitoring of compliance with the code, its evaluation of performance of the CEO, CFO and other senior officers, and other mechanisms such as whistle-blowing procedures. CEOs and CFOs should be proactive in involving audit committees in the assessment of the control environment.

There are special considerations for CEOs, CFOs, audit committees and boards of venture issuers in assessing the control environment and the board’s influ-ence on it.

•

•

•

•

•

•

�. Assess the design of other entity level controlsThe control environment is a vital entity-level control created by relevant aspects of corporate governance, the entity’s tone at the top and its culture of integrity. However, there are other important elements of control relevant to ICFR that function across the entity and impact its business process controls of all types. It is, therefore, necessary to assess whether these other entity-wide controls are designed to adequately support the achievement of ICFR objec-tives, with the necessary linkages among them, and an appropriate balance between them and the process level controls for each control “system.”

Entity-level controls are those that pervade and span all parts of an organiza-tion and its business units and processes to support the achievement of all of the organization’s objectives — strategic, operational, reporting and compli-ance. CEOs and CFOs should focus on the design of the entity-level controls that are particularly relevant to external financial reporting objectives and ICFR.




ProcessControl A

ProcessControl B

ProcessControl C

ProcessControl D

ProcessControl E

ProcessControl F

ProcessControl G



Entity-level controls are overarching in nature, interdependent and should function holistically in reducing risk and achieving objectives. Linkages should exist between entity-level controls and business process controls and, therefore, the design of the latter should take into consideration the positive influence of the former. This is a question of balance.

Key entity-level controls that CEOs and CFOs should consider carefully in the context of design of ICFR are the focus of the fifth step in the process for certifying the design of ICFR. These controls include:

internal auditmanagement information systems and performance measureshuman resource policies and practices (including compensation)organizational structureinformation technology, andupwards communication of material information.

Some entity level controls will not necessarily exist in venture issuers, such as internal audit. Others will exist but at a scale appropriate to the size of the venture issuer and its stage of business growth.

Each of these controls is discussed briefly below.

Internal auditDoes the internal audit function periodically evaluate the design and operation of process level and other entity level controls relevant to ICFR objectives? Does it follow up on recommendations to institute or improve such control features? Is it sufficiently well resourced and independent to be effective?

The mandates of internal audit functions vary considerably from company to company. Smaller issuers may not even have an internal audit function or they may outsource such activities. There are three important factors to consider in assessing internal audit’s effectiveness in the design and monitoring of ICFR:

Mandate: Is internal audit’s mandate and audit plan aligned to helping achieve the objectives of ICFR or is it focused primarily on operational efficiency and effectiveness?

Reporting relationships: Does internal audit report to the CEO or suf-ficiently high in the organization to ensure that weaknesses in ICFR are surfaced and dealt with? Does it have direct access to and a strong working relationship with the audit committee?

Capabilities: Does internal audit have people with the requisite knowledge, experience and skills to effectively discharge their mandate? Does it have the requisite policies, procedures, tools and financial resources to operate effectively and meet its mandate?

••••••

•

•

•



Management information systems and performance measuresWhat financial and operational performance reports are regularly provided to man-agement at various levels in the organization? Does management’s review of these reports, and the actions they take in response, provide a reliable means of detect-ing errors or problems in underlying data and accounting systems?

A valuable benchmark for assessing the reliability of periodic external finan-cial reports is the extent to which management at all levels receive and review regular, reliable operational and financial reports and analyzes variances against targets, budgets and prior period data. What may initially appear to be “variances” may, upon closer investigation, be found to be errors in the accounting system.

Non-financial management (i.e., operating, sales and administrative person-nel) are well-positioned and equipped to detect and communicate deficiencies in external financial reporting. However, the culture and incentives must be conducive to such action, with suitable upward communication about signifi-cant variances and related analyses to keep the CEO and senior management sufficiently informed and equipped to detect accounting errors and possibly misstated or misleading external financial reporting. Therefore, the design of ICFR should incorporate the appropriate checks and balances that involve senior non-financial management and operating managers throughout the organization.

Human resource policies and practices, including compensationAre human resource policies and practices conducive to attracting, retaining, developing and rewarding personnel for acquiring and applying the skills and attitudes necessary for to carry out their assigned responsibilities relative to the objectives of ICFR? Are the human resource policies and practices consistent with management’s philosophy and operating style?

Human resource policies and practices — including those related to recruit-ing, job descriptions and competencies, training and career development, and performance evaluation and compensation — reflect, among other things, the CEO’s management philosophy and commitment to competence.

At the entity-level, human resource policies and practices have a direct impact on the level and quality of staffing for the accounting and finance functions. The design of business process-level controls that address the knowledge and competence of financial staff is closely linked to and influenced by entity-level human resource policies and practices.



Organization structure, and assignment of authority, responsibility and accountabilityAre authority and responsibility assigned to positions within an organization structure conducive to the effective and efficient achievement of ICFR objec-tives? Are reporting relationships and accountabilities clearly established and widely understood?

A company’s organization structure and its policies and procedures regard-ing authority, responsibility and accountability are driven by management’s decisions about strategy and the execution of strategy, and by management’s philosophy and operating style. These are important factors to consider in the design of ICFR, particularly the way in which the organization’s accounting and finance functions are organized and staffed, the extent to which authority and responsibility are delegated and the extent to which there is appropriate segregation of duties.

Accountability, in practice, is more than just an aspect of structural choices and management policies and procedures. It is also influenced by the culture of integrity, tone at the top, and management philosophy and operating style. This makes it more difficult, but no less important, to consider than the other more tangible features of ICFR design.

Information Technology (IT)Do the appropriate entity-wide controls exist over computer hardware, business and accounting systems and internal networks to ensure system security and data and program integrity? Are IT controls designed according to recognized methodolo-gies and integrated within the organization’s overall control structure?

IT controls need to be considered at three levels: Entity-wide; Application; and Distributed processing.

Entity-wide IT controls are a key aspect of ICFR design. That is why the COSO framework was adapted by ISACA17 and its research affiliate for their Control Objectives for Information and Related Technology (COBIT),18 which pro-vides guidance on the design and evaluation of IT controls for the purposes of financial reporting objectives and ICFR.

Entity-level IT controls are distinct from application controls specific to busi-ness processes and identified control “systems.” Entity-level controls include what are often referred to as general computer controls and are important, not only for ICFR purposes related to external reporting, but also for the effec-tiveness of business and risk management information systems. At the entity level, a particular challenge for IT and financial professionals is for them to function effectively together in determining cost-effective control solutions that integrate financial and operational data and information needs.

The advent of distributed processing, and the use of IT by personnel through-out an organization, often with internet access, presents its own set of com-plexity and IT-related risks, which in turn can pose risks that ICFR needs to address.

17 Formerly known as Information Systems Audit and Control Association18 COBIT expressly aims to integrate IT controls within the COSO 1992 framework, and the

more recent COSO ERM framework (2004).

�0 G. Certification Process: Assessment Stage


Upwards communication of material informationAre policies and procedures in place to ensure the upward communication of information from all business units and subsidiaries? Is the appropriate informa-tion being communicated upward to senior management so they can make timely decisions about financial disclosures and to correctly apply accounting policies and estimates?

Material information relating to the financial statements, from all levels of the reporting issuer’s organization including its consolidated subsidiaries, must be made known to the CEO and CFO, particularly during the period in which the financial statements are being prepared.

The upward communication of material information is a key feature of DC&P and the CEO’s and CFO’s certification of it. The CEO and CFO need to assess specifically whether policies and procedures exist to ensure that they receive timely information about material events and conditions across and at all levels of the organization. That assessment will enable the CEO and CFO to then assess whether the accounting and disclosure are complete, accurate and appropriate. The absence of such policies and procedures would prima facie represent an ICFR design weakness.

Issuers that have already taken steps to implement DC&P to support their related DC&P certifications should find these steps also contribute to ICFR.

Key MessagesThe CEO and CFO must assess whether entity-wide controls are designed to adequately support the achievement of ICFR objectives, with the necessary link-ages among them, and an appropriate balance between them and the process level controls for each control “system.”

Key entity-level controls that CEOs and CFOs should assess include:internal auditmanagement information systems and performance measureshuman resource policies and practices (including compensation)organizational structureinformation technology, andupwards communication of material information.

•

•––––––

�� G. Certification Process: Assessment Stage


6. Assess process level controlsAn organization’s control structure includes controls relevant to ICFR at the level of business processes and material account balances (e.g. revenue, purchasing, payroll, asset management, inventory, period-end closing, etc.) within the company and all organizational units (e.g. divisions, subsidiaries, off-balance sheet/special purpose entities, joint-ventures etc.).

There are several types of process level control particularly relevant to ICFR. The way they are applied and the design factors to be considered in applying them will likely differ depending on the organization’s size and complexity. Each type of control should be assessed for each identified control “system” and organizational unit. The key sub-elements are described below.

Alignment with specific process financial reporting risksHave the principal financial reporting and disclosure risks related to the control system or organizational unit been identified?

The assessment of principal business risks at the entity level should include an identification of principal disclosure and financial reporting risks.

In assessing the design of ICFR, some risks must be addressed at both the entity control and process levels. For example, revenue recognition is often a financial reporting risk in technology companies where accounting standards are complex and difficult to apply.

The financial reporting and disclosure risks need to be identified and aligned with each identified “control system”, organizational unit and account bal-ance to which they are relevant.

Accounting policies and estimatesAre appropriate policies in place to guide the actions and judgments of those involved in the recording of transactions and the preparation of the issuer’s finan-cial statements, including necessary accounting estimates?

Well-developed accounting policies and accompanying application guidance inform the judgments of those involved in financial statement preparation, and also the work of the IT personnel who design (or select) the software for correctly recording transactions.

The lack of an appropriate set of accounting policies and related guidance (manuals, etc.) would indicate the likelihood of an ICFR design weakness.

Accounting estimates present a particularly important challenge for the design of ICFR.

Financial statements contain many estimates. Some are made at the opera-tional level (e.g., inventory obsolescence), others at the corporate level (e.g., in accounting for stock options). Some estimates have detailed specifications (e.g., estimates of unfunded pension obligations and health care obligations), while others have only general parameters (e.g., bad debt provisions).

Accounting estimates can have a major impact on reported results. For this reason, they have often been used to manipulate earnings. Because of their potential impact on reported earnings (and the potential for manipulation), ensuring there is appropriate control over accounting estimates is an impor-tant feature of ICFR design.




ProcessControl A

ProcessControl B

ProcessControl C

ProcessControl D

ProcessControl E

ProcessControl F

ProcessControl G



The increasing complexity of accounting standards increases the challenge of making appropriate accounting estimates (and making the necessary disclo-sures in financial statement footnotes and MD&As). For smaller companies this can be particularly problematic if they do not have the resources neces-sary for such tasks.

Examples of controls the CEO and CFO should address in assessing the design of ICFR with respect to accounting estimates include those to provide reasonable assurance that:

all required estimates are made in preparing the financial statementsthe people involved have the requisite expertise and understand the accounting objectives (e.g., internal actuaries, who prepare valuations for funding and account-ing purposes)the financial and non financial data used in the making estimates are complete and accurate (e.g., payroll and HR data supplied to actuaries to enable them to compute pension accounting estimates)the assumptions used in making/computing the estimate are “reasonable” and free from biasan appropriate methodology is used in preparing/computing the estimate (some methodologies as in pensions are prescribed while other estimates depend on the judgements of management), and is properly documented to ensure consistent appli-cation over timeif specialists are used in preparing an estimate, there is appropriate oversight of the selection of the specialist and the terms of the engagementthe final estimates produced are “reasonable,” free from bias, and fairly presented in the financial statements and MD&A, andsenior management over-ride will be prevented (e.g., improper release of provisions or reserves so that reported results meet analysts’ expectations).

••

•

•

•

•

•

•

Allocation of authority, responsibility and accountabilityIs there an appropriate allocation of authority, responsibility and accountability with respect to those involved in the preparation of the issuer’s financial statements and the management and control of principal financial reporting and disclosure risks?

There are two specific issues for CEOs and CFOs to consider. One is the segregation of certain duties, particularly in smaller companies where staff resources are limited. The other is the effect that decentralization has on an organization, which often occurs as a result of management philosophies of empowerment and organizational flattening.

A lack of an appropriate segregation of duties, such as between purchasing, inventory, payables and payments or personnel administration and payroll, can create design weaknesses that may be difficult to remedy at the business process level. In these situations, board oversight, tone at the top, a culture of integrity and other entity level controls may be the only design features avail-able for adequate ICFR. In addition, the periodic external reviews of trans-actions, reconciliations and accounts by suitably qualified professionals may also be an acceptable remedy.



The segregation of duties in very small entities is often difficult since their size limits the extent to which such segregation is practicable. In a smaller public company, the CEO or controlling shareholder may be able to exercise more effective oversight than they would in a larger entity, thereby compensating for the more limited opportunities for the segregation of duties. On the other hand, the CEO or controlling shareholder may be more able to override con-trols because of the more informal system of internal control.

Knowledge and competence of financial staffDo the people involved in the preparation of financial statements have the neces-sary knowledge (e.g. GAAP), skills and tools to support the preparation of financial statements and making appropriate accounting estimates?

Accounting personnel’s knowledge, skills and experience, including their education and professional qualifications, should be assessed in relation to their roles and responsibilities in the finance functions at the corporate and business unit levels.

Accounting personnel must have the capability of addressing the complex and technical challenges related to the issuer’s GAAP, tax compliance, account-ing and provision estimates, etc. For example, an organization that prepares its financial statements in accordance with US GAAP or prepares a recon-ciliation between US GAAP and Canadian GAAP should have the requisite knowledge and expertise in US GAAP, or acquire it.

Smaller issuers may acquire the expertise they need by retaining expert out-side legal or accounting advice to respond to what would otherwise be a sig-nificant ICFR weakness.

Control activities and documentationHave control activities and procedures (both manual and automated) been estab-lished, documented and communicated throughout the issuer’s organization to promote effective compliance with accounting policies, management directives and regulatory requirements affecting financial reporting?

Application level IT controls are usually very important as well as complex. Management must assess the manual and computer controls needed to achieve the objectives of ICFR, including authorizations and approvals, preparation and supervision of reconciliations, reviews of performance reports, physical controls, variance analysis, etc..

SOX 404 and ICFR reporting in the U.S. has resulted in much more focus on the role of IT controls at the application level. This is likely to be valuable in Canada as the focus on design and evaluation of ICFR accelerates. Well designed IT controls offer significant potential for enhancing the effectiveness of controls in transaction processing systems and simultaneously reducing compliance costs.



Management information and key performance indicatorsAre results of operations as reported in financial statements based on account-ing systems consistent or reconcilable with senior management’s knowledge of actual business operations and with internal management information, including key financial and non-financial performance indicators?

This is both an entity level control, as applied by the CEO, CFO and other corporate executives, and a process level control as applied within control sys-tems and business units.

Just as the extent to which management at all levels receive and review regular, reliable operational and financial reports serves as a useful benchmark for assessing the reliability of periodic financial reports at the entity level, so too is the extent management at the business process level receives and reviews such reports and analyzes variances against targets, budgets and prior period data. Regular review of management reports with the CEO and CFO are valu-able control features.

Similarly, it is important that the culture and incentives at the business process level are conducive to non-financial management communicating upwards about significant variances and related analyses.

Control monitoring and warning signalsAre there appropriate control monitoring activities (e.g. internal audit) that would indicate weaknesses in the design of ICFR? Are other warning indicators of potential design weaknesses in ICFR routinely monitored, such as adjustments required in the annual closing process or the confidential, anonymous submission by employ-ees of concerns regarding questionable accounting matters?

Other warning signals include regulators’ Continuous Disclosure reviews and letters and, possibly, shareholder proposals and institutional investor enquiries.

While control monitoring and assessment is often considered to be an entity level control, especially with respect to a corporate internal audit function, the importance of its application at the business process level for ICFR purposes should not be overlooked.

IT vendors have powerful automated tools for monitoring controls and automatically raising alerts when pre-set error or variance conditions are detected.

Key MessagesAn organization’s overall control structure includes controls relevant to ICFR at the level of business processes and material account balances and at the level of organizational units.

The process level controls summarized above should be assessed for each identified control system and organizational unit.

•

•


HThe final stage in the process for preparing to certify ICFR design is for the CEO and CFO to review all the findings obtained in the preceding steps, form their conclusions about the design of ICFR, and assess the implications for disclosures in the MD&A and the ability of the CEO and CFO to sign their respective certificates.

To sign their certificates, including the new certifications on the design of ICFR required in 2006, the CEO and CFO must be satisfied that:

the design of their ICFR will provide reasonable assurance of attaining the four elements of ICFR, andthere is appropriate disclosure in the MD&A of weaknesses in the design of ICFR, as well as of any changes in ICFR in the most recent quarter.

A special situation exists if the CEO and CFO conclude that there is an uncor-rected material weakness in design of ICFR as of the end of the reporting period, such that the first condition above would not be satisfied. This situa-tion is discussed below under “f. Deciding on signing the certificate”.

a. Review findings from assessments of ICFR designCEOs and CFOs should review their assessment of the design of ICFR at the entity level (control environment and other entity level controls) and at the process level (see matrix below).

Two elements of this entity-level assessment deserve particular emphasis:

The assessment of the expectations set forth by the board and the CEO for the control environment and the culture of integrity, and

Controls over principal financial reporting and disclosure risks.

Controls over principal financial reporting and disclosure risks should be viewed as “mission critical” because these risks could create serious reporting issues if they are not adequately controlled. A design weakness in ICFR with respect to controlling a principal financial reporting or disclosure risk would likely constitute a material design weakness.

•

•

•

•

Certification Process: Conclusions and Disclosure Stage

��

Assess Findings, Form Conclusionsand Make Disclosures

Conclusions andDisclosure Stage


Elements:Control system

AControl system

BControl system

CControl system

D

1. Identify principal financial reporting and disclosure risks

2. Accounting policies

3. Allocation of authority, responsibility and accountability

4. Knowledge and competence of financial staff

5. Control activities and documentation

6. Management information and KPIs

7. Control monitoring & warning signals

The following matrix may be used to summarize the results of assessing the process controls to the various identified control “systems” (business pro-cesses and units).

In Row 1, summarize the financial reporting and disclosure risks applicable to each control “system” that has been assessed. Then, in each cell for Rows 2-7, enter management’s preliminary conclusions for the CEO’s and CFO’s consid-eration, using a scale such as:

A. Evident weakness — there is a need to consider whether there is a signifi-cant deficiency that should be reported to the audit committee or a mate-rial weakness that should be disclosed in the MD&A.

B. Possible weakness — further investigation is required to reach a final con-clusion.

C. No sign of weakness — the ICFR design element looks effective.

Completing a matrix such as the one above makes it possible to identify any pat-terns of apparent systemic weaknesses or specific weakness in a particular busi-ness process or unit. The possibility of compensating entity level controls should also be considered when addressing weaknesses in process level controls.

�� H. Certification Process: Conclusions and Disclosure Stage


Any instance where the CEO and CFO, or those assisting them in applying the elements of ICFR design, are unable to satisfy themselves will usually indicate a potential weakness in the design of ICFR. Consideration then needs to be given to whether any compensating control exists at the entity level that would detect and correct any errors that slipped through this weakness.

b. Disclosure considerations and decisionsChanges will need to be made to ICFR if the CEO and CFO conclude that the design of ICFR, all or in part, does not meet the “reasonable assurance” threshold contemplated in the design certification requirements, and that the impact of a single design weakness or of a combination of weaknesses could result in a material misstatement or omission in the financial statements. Management also needs to consider whether their materiality assessments address the other three objectives of ICFR. Any changes made to ICFR to remedy material design weaknesses are to be disclosed in the MD&A at the end of the reporting period in which the changes were made.19 Following are some important factors to be considered in making disclosure decisions about ICFR weaknesses.

i. Categories of ICFR design weaknessesThere are three levels of disclosure for CEOs and CFOs to consider in evaluat-ing a weakness in the design of ICFR. These are:

Type A — weaknesses that are considered to be material, and should be disclosed in the MD&A as well as to the audit committee and external auditors

Type B — weaknesses that are not considered to be material but are sig-nificant enough to be communicated to the audit committee and external auditors, and

Type C — weaknesses that are not significant from an external reporting perspective, but should be communicated to the appropriate member of management for remediation.

Issuers should develop their own criteria for applying these categories in prac-tice. These criteria should be developed in consultation with internal audit, the external auditors and the audit committee in the interests of consistency in disclosure and internal communication.

When an ICFR design weakness is identified, it is necessary to evaluate its significance and decide which category it falls into. This decision involves:

deciding whether the ICFR design weakness could result in a material error in or misstatement of the financial statements, on either a qualitative or quantitative basis, andthe likelihood of such an error or misstatement actually occurring in future periods.

ii. MaterialityThe accounting literature contains guidance in making materiality determi-nations from both a qualitative and quantitative perspective. Unfortunately, no Canadian guidance is available to help management evaluate the likeli-

19 For December 31 2006 year end annual MD&As, this will be the fourth quarter.

•

•

•

•

•

�� H. Certification Process: Conclusions and Disclosure Stage


hood of errors occurring, or what would constitute a “low” likelihood vs. a “high” likelihood. There is, however, guidance in the U.S. literature, and the following is a summary of the U.S. material for external auditors in evaluating control deficiencies, which may be useful to CEOs and CFOs in assessing the impact of deficiencies detected in ICFR design. The U.S. PCAOB20 has defined a material weakness as “a significant control deficiency, or combination of deficiencies, that results in a more than remote likelihood that a material mis-statement of the annual or interim financial statements will not be prevented or detected.” All material weaknesses would need to be disclosed. In the U.S., control deficiencies that are less serious than a material weakness are required to be disclosed to the audit committee. If one or more material weaknesses exist at the company’s year end, management and the external auditor must conclude that ICFR is not effective.

The U.S. test of “more than a remote likelihood” that a material misstatement will not be prevented or detected by the ICFR design weakness is a low thresh-old and tough standard to use in the assessment of ICFR design weaknesses. However, it needs to be considered, since it could be used by the courts in the absence of a Canadian definition or authoritative guidance. As a result, CEOs and CFOs should use their professional judgment in assessing their findings with respect to the design of ICFR and determining the appropriate disclosure in the MD&A.

Any material design weakness in ICFR should, in our view, be disclosed in the MD&A since it is likely to affect the effectiveness of DC&P. We consider this to be a prudent practice that ensures relevant information is provided to investors. In the absence of a disclosure referencing a design weakness in ICFR, investors are likely to assume that the design of ICFR is effective and that there are no material weaknesses to disclose.

We also point out that, if there is a restatement in a subsequent reporting period to correct financial statement errors that occurred in the current reporting period, regulators (and potential plaintiffs) will look to see whether a design weakness in ICFR was disclosed to alert the reader of the financial statements. If a design weakness was identified but not disclosed, then the burden of proof will be on the officers and directors to justify their decision not to disclose.

iii. A decision tree on disclosure of material weaknessesIt is necessary to consider the need for disclosure of ICFR design changes for weaknesses that are identified but not remediated before the annual financial statements are finalized.

Where an ICFR design weakness is identified before the 2006 annual financial statements are finalized, an investigation should be carried out to determine whether a material error has, in fact, occurred, what adjustments need to be made to the draft 2006 financial statements, and whether a restatement is required to correct errors in prior periods (interim or annual financial state-ments). It would be difficult for officers or directors to demonstrate “due dili-gence” if identified design weaknesses in ICFR were not promptly investigated to assess their qualitative and quantitative impact.

20 Public Company Accounting Oversight Board

40 H. Certification Process: Conclusions and Disclosure Stage


A decision tree to help in deciding on the appropriate disclosures and possible corrections to financial statements needed in relation to ICFR changes regard-ing weaknesses identified (but not remediated) before the financial statements have been finalized is presented below.

Consider an identifiedICFR design weaknessexisting at year end:

Could the designweakness fail to detector prevent a material

error?

Yes

Correct errors, and restateprior period F/S if necessary

anddisclose design weakness

in MD&Aand

disclose what managementis doing to remedy the weakness

Do current or priorperiod F/S in fact contain

a material error?

Yes

Disclose design weaknessin MD&A and what management

is doing to remedythe weakness

Advise management;No disclosure required

Chart 1Steps in deciding if a weakness

in ICFR design at year endshould be disclosed.

No

Not Likely (i.e. remote probability)

iv. Investigating the impact of ICFR design weaknessesInvestigating and correcting any financial statement errors that may have occurred as a result of the ICFR design weakness failing to prevent or detect them does not eliminate the need to disclose the material ICFR design weak-nesses in the annual MD&A. All material weaknesses in the design of ICFR existing at year end should be disclosed, followed by appropriate “change dis-closure” in a future period when they are rectified or remediated. In our view, remediating an ICFR design weakness should require both a “design fix” and a test to determine that the new design is operating effectively in practice. As a rule of thumb, we suggest that a design fix should operate effectively for at least a quarter before it can be considered rectified, at which time the change would be disclosed in the next interim (or annual) MD&A.

Management should also investigate and correct any errors that might occur as a result of the ICFR design weakness in future reporting periods until the weaknesses are remediated. For example, suppose a material weakness in the design of ICFR is detected and disclosed in the 2006 annual MD&A. Management should conduct an investigation to ensure that this weakness did not result in material errors in the 2006 financial statements before these statements are finalized and released. They should then conduct a similar investigation in the first quarter of 2007, and in subsequent quarters, until the

4� H. Certification Process: Conclusions and Disclosure Stage


weakness in the design of ICFR is corrected. To do otherwise could leave these officers, and the directors, exposed to legal and/or regulatory actions if there were a material error in the financial statements and they had done nothing to ensure that the financial statements were fairly presented when they were aware that a material design weakness existed in ICFR.

c. Disclosure examplesSome examples of material weaknesses disclosed by U.S. companies in their annual filings include:

“The company did not maintain effective controls to ensure that there was appropriate support and documentation for reimbursement of expendi-tures, this control deficiency resulted in a misstatement.”

“Management identified a material weakness in our accounting for income taxes. Specifically the company did not maintain sufficient resources in the corporate tax function.”

“Management had determined that a control deficiency related to revenue recognition on contracts entered into with customers constituted a mate-rial weakness.”

“Two material weaknesses related to the company’s vendor debits process and financial statement close process existed in the company’s internal control over financial reporting.”

d. Deciding on disclosure of changes in ICFRParagraph 5 of the CEO/CFO certificate21 for 2006 requires CEOs and CFOs to disclose in the MD&A any material changes in their ICFR that were made in the most recent interim reporting period – Q4 for annual MD&As. This applies to changes that have materially affected ICFR and those that are rea-sonably likely to do so in the future. The failure to make such disclosures would compromise the completeness of the MD&A as well as the CEO’s and CFO’s ability to certify that the filings “fairly present in all material respects the financial condition, results of operations and cash flows of the issuer.”

A decision tree to help in deciding on appropriate disclosures and possible corrections to financial statements needed in relation to ICFR changes in Q4 is presented on the next page. This decision tree is based on our understand-ing of existing published CSA material

Issuers are, of course, encouraged to follow the guidance that the CSA has indicated it is developing about disclosure of changes in ICFR in the interim period preceding the certification.

21 See Appendix 1 for full text of 2006 certification

•

•

•

•



Identify changesin design of ICFR

in prior quarter (Q4).For each change:

Was the changeneeded as a result of

business factors, eventsor decisions that would

otherwise weakenICFR?

Yes

Disclose change in ICFRin the MD&A and correcterrors and restate priorperiod F/S as necessary

Do currentor prior period F/S

in fact containa material error?

Yes

Disclose change in designof ICFR in the MD&ANo Disclosure Required

Was the changein ICFR made to remedy

an identifieddesign weakness?

Investigate impact on currentand prior period F/S.

If material error/s caused,disclose the ICFR change

in the MD&A (and correct errorsand restate prior period F/S

as necessary)

Yes

Chart 2Steps in deciding if a Q4change in ICFR design

should be disclosed

No

No

e. Uncorrected material weaknesses in ICFRA situation may arise where an uncorrected material weakness in design of ICFR has been identified as of the end of the reporting period, appropriate MD&A disclosure has been made about the weakness, and appropriate steps have been taken to ensure that there is no material effect on the financial statements.

Under these circumstances, it seems unlikely that the CEO and CFO would be able to certify that the design of ICFR provides reasonable assurance regard-ing the reliability of financial reporting and the preparation of financial state-ments. This situation would, it might be argued, also prevent the CEO and CFO from signing and filing the full certificate, since the Companion Policy to MI 52-109 does not permit changes of any kind in the wording of the cer-tificates.

If a situation such as this occurs, the matter should be brought to the attention of the audit committee, and legal counsel should be consulted to determine an appropriate course of action. We believe that the CSA may not object to CEOs and CFOs signing their certificates, including the paragraph about ICFR design, if:

The weakness is fully disclosed in the MD&A, together with a formally approved remediation plan, orThe weakness is fully disclosed in the MD&A, together with a statement, including supporting rationale, that the issuer cannot remediate the weak-ness.

In other situations, e.g. the weakness is reasonably capable of remediation but the issuer has not developed a remediation plan, the CSA may be reluctant to accept the certificate.

•

•



We encourage issuers to review the staff guidance that the CSA plans to provide on disclosure regarding ICFR weaknesses, and to consult with legal counsel and the appropriate securities commission on the disclosure and cer-tification to be provided.

If the issuer is disclosing a remediation plan for an identified material weak-ness in ICFR, then in our view such a plan should clearly indicate the actions that need to be taken and when, and the commitment and capability to carry them out. The plan should be approved by the CFO, the CEO and the audit committee. These disclosures should continue to be provided in future peri-ods until the audit committee is satisfied that the remediation plan has been fully implemented.

It would be unwise for management and audit committees to try to rational-ize why an ICFR design weakness is not really material and should not be disclosed, in order to avoid the contradiction that might arise between the disclosures in the MD&A and the wording in the required certificates.

f. Issues for small companiesIn small companies with limited resources, certain ICFR design weaknesses (e.g., segregation of duties) may be difficult or impossible for CEOs and CFOs to rectify in a cost-effective manner.

In addition to following the course of action outlined above regarding uncor-rected material weaknesses, management and the audit committee may wish to consider whether there are other actions that could be taken to provide assurance to investors that these ICFR design weaknesses have not resulted in material error in the financial statements. For example, the audit commit-tee could engage the external auditor to perform quarterly reviews of interim financial statements. If the audit committee engages the auditors to perform quarterly reviews, we recommend that this fact be disclosed in the MD&A.

Additional help from the external auditors is discussed further in the next section of this publication.



Key MessagesCEOs and CFOs should review the assessment of ICFR design for each control system and business unit relative to the principal financial reporting and disclosure risks. A design weakness in ICFR with respect to controlling a principal financial reporting or disclosure risk would likely constitute a material design weakness. The possibility of compensating entity level controls should be considered when addressing weaknesses in process level controls.

Materiality is a critical decision, and requires CEOs and CFOs to exercise their professional judgment. While the definition of material weaknesses in the U.S. auditing literature is not authoritative in Canada (except for inter-listed reporting issuers), it is relevant and needs to be considered.

Any material design weakness in ICFR should be disclosed in the MD&A, since it is likely to also be a design weakness in DC&P.

It is appropriate to also disclose in the MD&A a remediation plan developed by management to correct an ICFR design weakness, providing this plan has been formally approved and the capabilities are in place to implement the plan.

If a material ICFR design weakness is disclosed, but remediating the weakness is not considered to be cost effective, then it is appropriate for management to disclose the actions that have been taken (e.g., engaging the external auditors to perform reviews of the interim financial statements) to ensure that this weakness in ICFR has not contributed to material errors in the financial statements.

MI 52-109 requires that changes made to ICFR to remedy material design weak-nesses be disclosed in the MD&A at the end of the reporting period in which the changes were made.22

Disclosing an unremediated material ICFR design weakness in the MD&A pres-ents a tough question for the CEO and CFO as to whether they should sign their certificates stating that the design of ICFR is effective. The CEO and CFO should consider the expected CSA guidance on such a situation, obtain legal advice and review their proposed course of action with the audit committee. The securities regulators should also be consulted if necessary.

Finally, in assessing the design of ICFR, management should ensure that ICFR is designed to support both internal business decision making as well as external financial reporting. In so doing, the time and effort spent in the design and assess-ment of ICFR will earn a return on this investment.

•

•

•

•

•

•

•

•

22

22 For December 31 2006 year end annual MD&As, this will be the fourth quarter.


IMI 52-109 does not require audit committees, the boards of directors or the external auditors to review or approve the CEO and CFO certificates. Audit committees are, however, required to review the MD&A, which is to include the disclosure of material weaknesses for both DC&P and ICFR and changes in ICFR. As a result, we consider that directors need to become involved with the certification process in relation to ICFR, and audit committees and exter-nal auditors need to exercise their respective responsibilities regarding ICFR and related disclosures. This section summarizes, for the benefit of CEOs and CFOs, our views about the role and responsibilities of the audit committee and board of directors, the role of the external auditors and the ways in which the external auditors may help the audit committee.

The responsibilities of the audit committee and board of directorsMI 52-110, Audit Committees, states that audit committees must review the issuer’s financial statements, MD&A and annual and interim earnings press releases before the issuer publicly discloses this information. The board of directors is required to approve both the issuer’s financial statements and MD&A for release and filing with securities regulators.

Since material weaknesses in DC&P and ICFR, along with material changes in ICFR, are required to be disclosed in the MD&A, the audit committee needs to satisfy itself that these disclosures are complete (i.e., all material weaknesses are disclosed) and fairly presented — just as it would for all other disclosures included in the MD&A.

We believe directors should not just review the draft control-related disclo-sures, but should also understand and assess the certification process that generated these disclosures. We make this suggestion for three reasons.

First, an understanding of the certification process would provide the audit committee with an opportunity to better understand the strengths and weak-nesses of the control systems of the issuer, and where appropriate support from the audit committee would help to strengthen these systems.

The Role of the Audit Committee and External Auditors

4�


Second, it provides the audit committee with an understanding of the pro-cess followed by the CEO and CFO in preparing to certify the effectiveness of ICGR design, and the basis for the judgments exercised in the process and assessment of findings.

Third, it should help the audit committee and directors establish a defence in the event of proceedings under Ontario’s civil liability legislation for second-ary market disclosures. It is in the audit committee’s interest to satisfy itself with respect to the rigour of the CEO/CFO certification process, findings and conclusions. Simply put, a rigorous certification process conducted by the CEO and CFO should be the directors’ best friend in defending themselves against a financial reporting or disclosure related lawsuit.

The audit committee can play an important role in supporting well designed ICFR, and ensuring that these controls are operating effectively. Well designed ICFR helps ensure that the audit committee and other internal users receive timely, accurate and reliable financial information on which to make deci-sions. The audit committee is well positioned to review and influence the design and operation of ICFR. The CFO is normally the primary management interface with the audit committee; also, the external auditors, and often the internal auditors, report to the audit committee on the results of their work. In addition, when the board approves strategic plans, the audit committee can monitor the adequacy of resources allocated for designing and sustaining effective DC&P and ICFR.

The companion publication for audit committees and boards of directors provides a set of 20 questions that audit committees and boards may wish to ask of CEOs and CFOs as part of their due diligence and oversight process to assure themselves that the CEO and CFO have conducted a duly rigorous assessment of the design of ICFR.

The responsibilities of the external auditorThe external auditors can assist the audit committee and the board of direc-tors in a number of ways, depending on the terms of their audit appointment and the other services they have been asked to perform. Today, the audits of Canadian public companies must be performed in accordance with either U.S. Generally Accepted Auditing Standards (GAAS) or Canadian GAAS. The external auditors of companies that are SEC registrants must comply with U.S. SOX 404 requirements and perform their audits in accordance with the auditing standards of the U.S. PCAOB , which require them to provide opin-ions on:

the financial statementsmanagement’s assessment of ICFR, andthe design and operational effectiveness of ICFR.

The external auditors of Canadian domestic issuers are required only to audit and report on the annual financial statements. Under Canadian standards, the auditor does not provide an opinion on the operating effectiveness of DC&P or on the design of ICFR .

•••

4� I. The Role of the Audit Committee and External Auditors


Understanding the differences between these two sets of auditing standards is important, since many corporate directors will sit on the boards of both Canadian domestic issuers and SEC registrants. The following is a brief over-view of the implications.

Under U.S. standards for providing the ICFR related opinions, the auditors are required to obtain a much deeper understanding and knowledge of the design and operating effectiveness of ICFR, enabling them to provide infor-mation likely to be of use to the audit committee. More importantly, the audit committee and board of directors are likely to be able to rely on the auditor’s control related opinions as reports provided by an “expert.” This additional knowledge and assurance, however, comes at a price since the external audi-tors must significantly expand their review and testing of ICFR beyond that involved in a financial statement audit.

Canadian auditing standards, on the other hand, have been developed to support an audit of the financial statements, but not to provide additional opinions or assurance on ICFR. In conducting the audit the auditor does, however, obtain some insights on aspects of the design of ICFR and its operat-ing effectiveness. As a result, the external auditors can help audit committees understand the design of ICFR and any weaknesses they have detected in the course of their financial statement audit. The following paragraphs illustrate how the external auditor obtains knowledge about the design and operating effectiveness of ICFR.

In conducting a financial statement audit, the external auditor is required under Canadian GAAS to obtain an understanding of internal control rele-vant to the audit. Controls relevant to a financial statement audit are those that pertain to the entity’s objective of preparing financial statements for external purposes that are fairly presented, in all material respects, in accordance with generally accepted accounting principles (GAAP) and the management of risks that may give rise to a material misstatement in those financial statements.

When obtaining an understanding of internal control relevant to the audit, the auditor evaluates the design of relevant controls and determines whether these controls have been implemented. The external auditor’s objectives in obtaining this understanding are to:

identify types of potential misstatements of the financial statementsconsider factors that affect the risks of material misstatement of the finan-cial statements; anddesign the nature, timing and extent of further audit procedures to be per-formed.

If, in determining the nature, timing and extent of further audit procedures to be performed, the external auditor decides to rely on the operating effective-ness of specific controls, the external auditor is required by GAAS to test that those controls operated effectively. The nature, timing and extent of tests of the operating effectiveness of these specific controls, and the work done on the design and implementation of controls relevant to the audit, are not intended to, and do not provide an appropriate basis for the external auditor to form an opinion on the operating effectiveness of ICFR as a whole. Accordingly, the external auditor does not provide such an opinion.

••

•

4� I. The Role of the Audit Committee and External Auditors


Communication with the audit committeeDuring the course of planning and performing the financial statement audit, the auditor may identify significant weaknesses in internal control relevant to the audit, management and the audit committee. To comply with GAAS, external auditors are required to communicate such weaknesses to the audit committee or its equivalent. Audit committees should, therefore, engage in an open and frank discussion with their external auditor to ensure that they understand the auditor’s views on the design of ICFR and any potential ICFR weaknesses that are of concern to the auditor.

When evaluating the effectiveness of the DC&P and assessing whether the design of ICFR provides reasonable assurance regarding the reliability of financial reporting and the preparation of the financial statements, the CEO and CFO should also take into account material weaknesses in internal con-trol communicated by the external auditor.

For their part, the external auditors are associated with the MD&A and must therefore review the MD&A to ensure its consistency with the financial state-ments and the knowledge they have developed during the course of the audit. Should the external auditor conclude that the representations or disclosures in the MD&A are inconsistent with their knowledge (e.g., the MD&A does not disclose any weaknesses in the design of ICFR but the external auditor is aware of design weaknesses that they consider to be material) then the exter-nal auditor is required to communicate this information to the audit commit-tee and take whatever action is necessary.

Additional help from the external auditorsWhile the auditor’s communication of material weaknesses in internal con-trols may provide some useful insights into ICFR, the auditor cannot provide assurance with respect to the effectiveness of ICFR through an examination of financial statements alone. Nor can work done in a financial statement audit provide the type of assurance given to audit committees and boards of inter-listed companies subject to SOX 404. In order to receive such assurance, a Canadian issuer would have to engage its auditor to perform an engagement with the specific objective of providing assurance on ICFR. Such an engage-ment would require the auditor to perform procedures that were not included in the financial statement audit. The terms of such an engagement should be agreed between the auditor and the issuer (including approval by the audit committee) and be appropriately documented. While this alternative is likely to involve significant costs, it is probably the most effective way of minimiz-ing the liability exposure of the issuer, its officers and directors. Whether the benefits are worth the costs involved is something for each audit committee to determine based on the issuer’s specific circumstances.

Another, less costly, option is for the audit committee to engage the external auditor to perform “specified procedures” to support the audit committee’s due diligence assertion that it conducted a reasonable investigation. Such pro-

�0 I. The Role of the Audit Committee and External Auditors


cedures might include performing tests of those controls related to principal financial reporting and disclosure risks. In such engagements the external auditor would:

agree with management and the audit committee as to the procedures to be performedperform those procedures, andreport to management and the audit committee their findings.

While “specified procedures” engagements do not provide assurance on the overall design or operating effectiveness of ICFR, they would support an assertion that the audit committee conducted a “reasonable investigation.” They would also provide objective evidence for management and the audit committee to use in determining whether the disclosure of material weak-nesses in the MD&A is required or not.

External auditors can also assist management with the documentation and evaluation of control procedures. However, depending on the nature and extent of procedures to be performed, such engagements could pose a threat to the auditors’ independence since it could place the auditors in a position of auditing their own work.

Key MessagesMI 52-109 does not require the audit committee or board of directors to approve the CEO’s and CFO’s certificates, however they should review and approve the CEO’s and CFO’s conclusions that are disclosed in the MD&A.

While the external auditors are not required to audit the disclosures contained in the MD&A, they must review the MD&A to ensure that the ICFR related disclo-sures are consistent with the knowledge developed during the financial state-ment audit.

The audit committee should ask probing questions, and obtain relevant informa-tion and reports to satisfy itself that the certification process was thorough, rigorous and that all findings were dealt with appropriately.

If the audit committee desires more assurance from the external auditor than that provided in the audit of financial statements, they can:

engage the external auditors to expand their audit procedures to provide a report containing an opinion on the design and operating effectiveness of ICFR similar to that provided in an audit of ICFR performed in accordance with U.S. auditing standards, orengage the external auditors to perform certain “specified procedures” with respect to ICFR and report their findings to both management and the audit committee.

Audit committees should encourage their organizations to take a “beyond com-pliance” approach that integrates ICFR into their business and risk management practices and helps them achieve their business objectives.

•

•

•

•

–

–

•

•

••

�� I. The Role of the Audit Committee and External Auditors

JThe top-down, risk-based process described in this publication is intended to help CEOs and CFOs comply in a cost effective way with the CSA require-ments for 2006 certifications on design of ICFR and changes in ICFR. It also provides the opportunity for CEOs and CFOs to put in place the foundation for the next phase of certification which deals with the operating effective-ness of ICFR. Performing a risk based assessment of the design of ICFR, and making the investments to remediate whatever weaknesses are identified, will strengthen internal business control and help avoid future more costly or even embarrassing surprises.

Assessing the design of ICFR may also identify opportunities to strengthen governance processes, such as the way in which the board monitors the imple-mentation of an organization’s code of business conduct and the disciplines involved in establishing and sustaining a culture of integrity. This is essential for effective ICFR and should contribute more broadly to effective corporate governance.

The time and cost spent on assessing ICFR design in 2006, together with the remediation of identified weaknesses, will be an investment that should pay dividends in future periods.

Developing this publication brought to light two specific issues that, unless addressed, will also affect the fourth phase of certification. We raise these issues so that regulators and the CA profession can develop the appropriate responses to help issuers implement these new requirements.

The first is the situation faced by an issuer who has identified and disclosed a material weakness in ICFR at the end of 2006. CEOs and CFOs of such issuers may be unwilling to provide the required certification about design of effec-tive ICFR, and, since they are not permitted to modify the certificate, this may mean they are not be able to provide any type of certificate at all. The CSA is aware of this problem and is expected to provide staff guidance in the near future about disclosure of ICFR design weaknesses and changes.

Readiness for the Fourth Phase of Certification

��


The second is the lack of guidance for small companies, especially micro cap companies, with respect to ICFR. Many of these companies do not have the resources to apply GAAP or design and implement effective segregation of duties, and they often have a controlling shareholder who is the CEO. In some areas, these small/micro cap issuers have material weaknesses in ICFR while in other areas they have strong controls due to the active involvement of the CEO/controlling shareholder in the business. While there are compensating steps that issuers and their audit committees can take to ensure the reliability of financial reporting, these may be costly. There is an urgent need, in our view, for well-developed practical guidance on ICFR design, material weak-ness disclosure and mitigating strategies for these small/micro cap issuers; the development of such guidance was well beyond the scope of this project.

The top-down, risk-based approach to assessing the design of ICFR presented in this publication will provide a solid foundation for assessing the operating effectiveness of ICFR when it is required. This guidance is, however, only a beginning; it needs to be updated and enhanced as experience is obtained. The authors and the CICA’s Risk Management and Governance Board are anxious to obtain feedback, suggestions and ideas on how this guidance can be improved. Comments and suggestions will be appreciated and should be provided to [email protected].

�4 J. Readiness for the Fourth Phase of Certification

mailto:[email protected]

A1Diagram illustrating the four phases of CEO/CFO certification and the annual certificate required in 2006

Appendix 1

The CSA’s Revised Flight Plan

ContentCertification

Control Certification

Disclosure Controls(DC&P)

Internal Controls(ICFR)

2004 2005 2006 2007

Management’s Bare Certification of

Financial Information(Annual and Quarterly)







Phase 1

Management’s Certification of

Design and Evaluation of DC&P(Annual)

Management’s Certification of Design (Annual

and Quarterly) and Evaluation (Annual)

of DC&P

Management’s Certification of Design (Annual

and Quarterly) and Evaluation (Annual)

of DC&P

Phase 2

Management’s Certification of Design of ICFR(Annual and Quarterly)

Management’s Certification of Design of ICFR(Annual and Quarterly)

Phase 3

Management’s Certification of

Evaluation of ICFR(Annual –

Earliest Date)

Phase 4

��


Form 52-109F1 - Certification of Annual FilingsI, <identify the certifying officer, the issuer, and his or her position at the issuer›, certify that:

1. I have reviewed the annual filings (as this term is defined in Multilateral Instrument 52-109 Certification of Disclosure inIssuers’ Annual and Interim Filings) of ‹identify issuer› (the issuer) for the period ending ‹state the relevant date›;

2. Based on my knowledge, the annual filings do not contain any untrue statement of a material fact or omit to state a material fact required to be stated or that is necessary to make a statement not misleading in light of the circumstances under which it was made, with respect to the period covered by the annual filings;

3. Based on my knowledge, the annual financial statements together with the other financial information included in the annual filings fairly present in all material respects the financial condition, results of operations and cash flows of the issuer, as of the date and for the periods presented in the annual filings;

4. The issuer’s other certifying officers and I are responsible for establishing and maintaining disclosure controls and procedures and internal control over financial reporting for the issuer, and we have:a. designed such disclosure controls and procedures, or caused them to be designed under our supervision, to provide

reasonable assurance that material information relating to the issuer, including its consolidated subsidiaries, is made known to us by others within those entities, particularly during the period in which the annual filings are being prepared;

b. designed such internal control over financial reporting, or caused it to be designed under our supervision, to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with the issuer’s GAAP; and

c. evaluated the effectiveness of the issuer’s disclosure controls and procedures as of the end of the period covered by the annual filings and have caused the issuer to disclose in the annual MD&A our conclusions about the effectiveness of the disclosure controls and procedures as of the end of the period covered by the annual filings based on such evaluation; and

5. I have caused the issuer to disclose in the annual MD&A any change in the issuer’s internal control over financial reportingthat occurred during the issuer’s most recent interim period that has materially affected, or is reasonably likely to materiallyaffect, the issuer’s internal control over financial reporting.

SignatureTitleDate

56 A1. Diagram illustrating the four phases of CEO/CFO certification and the annual certificate required in 2006

A2MI �2-�0� Definitions of Disclosure Controls and Pro-cedures and Internal Control Over Financial ReportingFrom CSA MI 52-109, Part 1, 1.1:

1. Disclosure Controls and Procedures (DC&P)

“disclosure controls and procedures” means controls and other procedures of an issuer that are designed to provide reasonable assurance that information required to be disclosed by the issuer in its annual filings, interim filings or other reports filed or submitted by it under provincial and territorial securi-ties legislation is recorded, processed, summarized and reported within the time periods specified in the provincial and territorial securities legislation and include, without limitation, controls and procedures designed to ensure that information required to be disclosed by an issuer in its annual filings, interim filings or other reports filed or submitted under provincial and ter-ritorial securities legislation is accumulated and communicated to the issuer’s management, including its chief executive officers and chief financial officers (or persons who perform similar functions to a chief executive officer or a chief financial officer), as appropriate to allow timely decisions regarding required disclosure;”

2. Internal Control over Financial Reporting (ICFR)

“internal control over financial reporting” means a process designed by, or under the supervision of, the issuer’s chief executive officers and chief financial officers, or persons performing similar functions, and effected by the issuer’s board of directors, management and other personnel, to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with the issuer’s GAAP and includes those policies and procedures that:

(a) pertain to the maintenance of records that in reasonable detail accurately and fairly reflect the transactions and dispositions of the assets of the issuer,

Appendix 2

��


(b) provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in accordance with the issu-er’s GAAP, and that receipts and expenditures of the issuer are being made only in accordance with authorizations of management and directors of the issuer, and

(c) provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use or disposition of the issuer’s assets that could have a material effect on the annual financial statements or interim finan-cial statements;”

58 A2. Diagram illustrating the four phases of CEO/CFO certification and the annual certificate required in 2006

A3Where to Find More InformationSecurities Laws and Regulations — Canadawww.osc.gov.on.ca/Regulation/Rulemaking/rrn_index.jsp

Canadian Securities Administrators (CSA)Multilateral Instrument 52-109 Certification of Disclosure in Issuers Annual and Interim FilingsMultilateral Instrument 52-109CP Companion PolicyMultilateral Instrument 52-110 Audit CommitteesMultilateral Instrument 52-110CP Companion PolicyNational Policy 58-201 Corporate Governance GuidelinesNational Instrument 58-101 Disclosure of Corporate Governance ePracticesNational Policy 51-201 Disclosure StandardsNational Instrument 51-102 Continuous Disclosure ObligationsStaff Notice 52-311 Regarding Required Forms of Certificates under MI 52-109Staff Notice 52-313 Regarding Status of Proposed MI 52-111 and Proposed Amendments to MI 52-109

Amendments to the Securities Act (Ontario) and Regulation 1015 (as enacted in 2005 under Bill 198)

Securities Laws and Regulations — United Stateshttp://www.sarbanes-oxley.com/section.php?level=1&pub_id=Sarbanes-Oxley

United States Securities and Exchange Commission (SEC) www.sec.gov

—

—————

———

—

Appendix 3

��

http://www.osc.gov.on.ca/Regulation/Rulemaking/rrn_index.jsp

http://www.sarbanes-oxley.com/section.php?level=1&pub_id=Sarbanes-Oxley

http://www.sarbanes-oxley.com/section.php?level=1&pub_id=Sarbanes-Oxley

http://www.sec.gov


CICA Publicationswww.rmgb.ca

CEO and CFO Certification: Improving Transparency and Accountability20 Questions Directors Should Ask about Codes of Conduct20 Questions Directors Should Ask about Internal Audit20 Questions Directors Should Ask about IT20 Questions Directors Should Ask about MD&A20 Questions Directors Should Ask about Risk 2nd editionRisk Management: What Boards Should Expect from CFOsFinancial Aspects of Governance: What Boards Should Expect from CFOsIntegrity in the Spotlight: Audit Committees in a High Risk WorldLearning about Risk: Choices, Connections and CompetenciesGuidance on ControlGuidance on Assessing ControlUnderstanding Disclosure Controls and Procedures: Helping CEOs and CFOs Respond to the Need for Better DisclosureManagement’s Discussion and Analysis — Guidance on Preparation and DisclosureCICA Handbook — Assurance Recommendations

Other

International Federation of Accountants Internal Controls — A Review of Current Developments, Information

Paper, August 2006 www.ifac.org

The Committee of Sponsoring Organizations of the Treadway Commis-sion (COSO), USA Internal Control over Financial Reporting — Guidance for Smaller Public

Companies, 2006 Internal Control — Integrated Framework, 1992 www.coso.org

Public Company Accounting Oversight Board (PCAOB, USA) Auditing Standard No.2

Perspectives on Internal Control Reporting — A Resource for Financial Market Participants (Deloitte & Touche LLP, Ernst & Young LLP, KPMG LLP, PricewaterhouseCoopers LLP; USA, December 2004)

—————————————

—

—

60 A3. Where to Find More Information

http://www.rmgb.ca

http://www.ifac.org

http://www.coso.org

AuthorsJames L. Goodfellow, FCA, is a partner and vice chairman of Deloitte who advises boards of directors, audit committees, corporate executives and securities regulators in Canada and internationally on corporate reporting and governance related issues. He recently co-authored the book Integrity in the Spotlight: Audit Committees in a High Risk World.

He served as research director for the Joint Committee on Corporate Gover-nance, is a past chairman of the CICA Accounting Standards Board, and has served on the CICA’s Emerging Issues Committee. He is a past chairman of the CICA Canadian Performance Reporting Board.

He is a frequent speaker on issues related to financial reporting, corporate governance and audit committees. He believes strongly that the external audi-tor should be accountable to the board of directors and the audit committee as representatives of the shareholders, and that this repositioning of the audi-tor/client relationship can produce significant benefits to the effectiveness of the audit.

Jim Goodfellow has served on the board of directors of Deloitte and, in the past, served as the firm’s National Director of Accounting & Auditing. He is a senior partner responsible for providing services to some of his firm’s largest clients.

Alan D. Willis, CA, is an independent consultant in the fields of corporate governance, performance measurement and business reporting, with a par-ticular focus on the linkages of these topics with sustainable development and the business value of stakeholder relations. He directed the development of CICA’s guidance on MD&A preparation and disclosure and wrote the related briefing “20 Questions Directors Should Ask About Management’s Discus-sion and Analysis.” He co-authored CICA’s publication “Learning about Risk: Choices, Connections and Competencies.”

His first foray into the realm of corporate governance was writing a guid-ance booklet for audit committees and creating a documentary film about corporate directors in 1971. He observes that both would still be remarkably relevant today.

About the Authors

6�


As a member of the International Corporate Governance Network, he serves on its Non-financial Business Reporting Committee. He has worked exten-sively with Canadian and international initiatives to develop performance indicators and reporting guidelines relevant to corporate management of and disclosure about climate change impacts, environmental performance and corporate social responsibility. He is currently engaged in a multi-disciplinary North American project on the design of a new corporate governance model for the 21st. century.

62 About the Authors

INTERNAL CONTROL 2006:THE NEXT WAVE OF CERTIFICATIONGuidance for Management277 Wellington Street West Toronto, ON Canada M5V 3H2 Tel: 416-977-0748 www.rmgb.ca

Documents

Internal Control 2006: The Next Wave of Certification ... · The Role of the Audit Committee and External Auditors 47 ... The Next Wave of Certification— Guidance for Management