Internal Control: The Next Wave of Certification -- Helping ...

  • 1,163 views
Uploaded on

 

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
1,163
On Slideshare
0
From Embeds
0
Number of Embeds
1

Actions

Shares
Downloads
19
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. INTERNAL CONTROL: THE NEXT WAVE OF CERTIFICATION Helping Smaller Public Companies with Certification and Disclosure about Design of Internal Control over Financial Reporting James L. Goodfellow and Alan D. Willis
  • 2. INTERNAL CONTROL: THE NEXT WAVE OF CERTIFICATION Helping Smaller Public Companies with Certification and Disclosure about Design of Internal Control over Financial Reporting James L. Goodfellow and Alan D. Willis
  • 3. Copyright © 2007 The Canadian Institute of Chartered Accountants 277 Wellington Street West Toronto, Canada M5V 3H2 www.rmgb.ca Disponible en français Printed in Canada
  • 4. TOC Table of Contents Preface v A. Introduction 1 The Certification Requirements 1 Implications for Smaller Issuers 2 About This Publication 3 B. Implications for Boards of Directors and Audit Committees of Small Issuers 5 C. Identifying Weaknesses in Design of Internal Control over Financial Reporting 7 D. MD&A Disclosures About ICFR and ICFR Design Weaknesses 11 Disclosure Decisions: Requirements and Recommendations 12 Materiality 14 Disclosure When No Material ICFR Design Weaknesses are Identified 16 Disclosure When Material ICFR Design Weaknesses are Identified 16 The design assessment process 16 Weakness descriptions 17 Remediation plans 17 Mitigating activities over accuracy of financial reporting 17 Disclosure Examples 18 1. Weakness in controls regarding revenue recognition 20 2. Lack of taxation and GAAP accounting expertise 20 3. Lack of documentation about control procedures 21 . Lack of control monitoring and reconciliations 21 5. Weakness in the control environment 21 6. Weakness in entity level information technology controls 22 7. Management override of controls 22 8. Inadequate segregation of duties 23 iii
  • 5. Internal Control: Helping Smaller Public Companies with Certification and Disclosure about Design of Internal Control over Financial Reporting 9. Incomplete integration of acquisition 23 10. Inadequate policies for approval of related party transactions 24 Consequences of Incomplete or Inaccurate Disclosures 24 E. External Auditor Involvement with ICFR Certification and Disclosures 27 External Auditors and ICFR 27 Association with the MD&A 28 F. Conclusion — Preparing for the Fourth Wave of Certification 29 Appendix 1: Form 52-109F1 — Certification of Annual Filings 31 Appendix 2: Characteristics of Small Companies that Affect ICFR 33 Concentration of Decision-making Power, and the Potential for Management Override 34 Effectiveness of Board and Audit Committee Oversight 34 Limited Staff and Segregation of Duties 35 Limited Professional Accounting and Financial Reporting Expertise 35 Lack of Formal Operating, Accounting and Authorization Policies and Procedures 35 Stage of Company’s Development as a Business 36 Smaller Size, Less Complex Operations 36 Use of Information Technology Systems, Packages and Practices 36 Appendix 3: Where to Find More Information 39 About the Authors 43 iv Table of Contents
  • 6. Preface Preface The Risk Management and Governance Board (the RMG Board) of the Cana- Risk Management and Governance Board dian Institute of Chartered Accountants commissioned this document to help Thomas Peddie, FCA, Chair CEOs and CFOs of smaller reporting issuers to fulfill their responsibilities regarding certification and disclosure about internal control over financial Dan Cornacchia, FCA reporting (ICFR) that became effective in 2006. While this publication was Brian Ferguson, CA initially directed at helping smaller issuers, the disclosure framework and John Fraser, CA examples may be helpful to larger issuers too. Michael Harris, CA Andrew J. MacDougall, LLB The Canadian Securities Administrators’ (CSA) Multilateral Instrument 52-109, Peter W. Roberts, FCA, CPA Certification of Disclosure in Issuers’ Annual and Interim Filings, requires (Illinois) CEOs and CFOs to include for the first time in their 2006 annual certificates Josee Santoni, CA declarations about the design of ICFR and about providing in the MD&A dis- closure regarding changes in ICFR. This is in addition to the existing certifica- Directors Advisory Group tions that address disclosure controls and procedures (DC&P) and providing Giles Meikle, FCA, Chair in the MD&A disclosure of their conclusions from evaluating DC&P. James Arnett, QC This publication builds on Internal Control 2006: The Next Wave of Certifica- William Dimma, F.ICD, ICD.D tion, Guidance for Management, which provides CEOs and CFOs (and other John Ferguson, FCA management) with a top-down, risk-based process to follow in certifying the Gordon Hall, FSA, ICD.D design of ICFR, including a methodology for assessing ICFR design weak- Robin Korthals nesses and deciding on necessary disclosures. This publication also comple- Mary Mogford, F.ICD, ICD.D ments existing CICA publications dealing with control, risk, corporate gover- Patrick O’Callaghan nance, disclosure and CFO responsibilities. Ronald Osborne, FCA Guylaine Saucier, CM, FCA The guidance in the Internal Control 2006: The Next Wave of Certification, Guidance for Management and Guidance for Directors publications was devel- CICA Staff oped for the benefit of TSX and venture issuers in general, with only limited William Swirsky, FCA attention to the circumstances of smaller issuers. This new publication was Vice President, commissioned to address the special certification and disclosure challenges Knowledge Development that are faced by smaller reporting issuers, whether TSX or TSX Venture listed. Gigi Dawe We believe, however, that it may also be of value to larger issuers in addressing Principal, disclosure issues where ICFR design weaknesses have been found to exist. Risk Management and Governance v
  • 7. Internal Control: Helping Smaller Public Companies with Certification and Disclosure about Design of Internal Control over Financial Reporting The RMG Board acknowledges and thanks the authors — James L. Goodfel- low, FCA, Vice Chair of Deloitte, and Alan Willis, CA, Alan Willis & Asso- ciates — and Brian Reinke, FCA, Deloitte, Hugh Miller and many others who contributed comments and helpful suggestions. The authors are responsible for the views expressed in this publication; it does not represent, amend or replace any professional standard nor does it consti- tute prescribed minimum requirements. Management and directors should consult their professional advisors on any matter about which they seek clari- fication, further information or guidance. Tom Peddie, FCA Chair, Risk Management and Governance Board Authors James L. Goodfellow, FCA Alan D. Willis, CA Editor Hugh Miller Project Director Gigi Dawe, Principal, CICA vi Preface
  • 8. A Introduction In their annual certificates for 2006, CEOs and CFOs of Canadian report- ing issuers are, for the first time, required to certify the design of internal control over financial reporting. Reporting issuers, particularly smaller ones, will likely face some challenges in making this certification and providing the required disclosures when they have to address the implications of any material weaknesses that they identify in the design of internal control over financial reporting (ICFR). This publication provides the authors’ advice to CEOs and CFOs of smaller companies on responding to the new certification and disclosure require- ments. It builds on, and is intended to be used in conjunction with, the guid- ance offered in CICA’s September 2006 publication Internal Control 2006: The Next Wave of Certification — Guidance for Management. That publication acknowledged that special challenges are likely to be faced by small issuers due to their particular circumstances and characteristics, but was not able to offer the level of practical guidance about those challenges that this new publication aims to provide. The Certification Requirements The Canadian Securities Administrators (CSA) Multilateral Instrument 52-109, Certification of Disclosure in Issuers’ Annual and Interim Filings, requires CEOs and CFOs to certify in their 2006 annual certificates1 that they are responsible for establishing and maintaining not only disclosure controls and procedures (DC&P) but also internal control over financial reporting (ICFR). It also requires them to certify that they have “designed such internal control over financial reporting…to provide reasonable assurance regarding the reli- ability of financial reporting and the preparation of financial statements for external purposes in accordance with the issuer’s GAAP.” 1 To be precise, for years ending after June 29, 2006. 1
  • 9. Internal Control: Helping Smaller Public Companies with Certification and Disclosure about Design of Internal Control over Financial Reporting The CEO and CFO certificates must also now state that “any change in the issuer’s internal control over financial reporting that occurred during the issuer’s most recent interim period that has materially affected, or is reason- ably likely to materially affect, the issuer’s internal control over financial reporting” is disclosed in the MD&A.2 In March 2006, the CSA announced its intention to expand the certifications of all reporting issuers in 2007 to include a certification about the evaluation of the operating effectiveness of ICFR and that they have provided MD&A disclosure of conclusions about ICFR effectiveness. Separate auditor attesta- tion about ICFR is no longer expected under Canadian requirements.3 In Feb- ruary 2007, CSA Notice 52-317 announced that the CSA plans to publish its proposed revisions to MI 52-109 by the end of March 2007 and will propose that the new requirements regarding ICFR certification and disclosure will apply in respect of financial years ending on or after June 30, 2008. Meanwhile in the United States, the SEC announced proposals in December 2006 for interpretive guidance for management regarding its evaluation of ICFR and the PCAOB announced proposals for revisions to its Auditing Stan- dard No. 2 on ICFR. These announcements emphasize the importance of a top-down, risk-based approach to ICFR evaluation and audit, respectively. Also, earlier in 2006 COSO (the Committee of Sponsoring Organizations of the Treadway Commission) released guidance on internal control for smaller public companies. Readers should recognize, however, that in the United States smaller public companies tend to be much larger than those regarded as smaller public companies in Canada’s capital markets.5 Implications for Smaller Issuers Certifying the design of ICFR is no small task, especially for a smaller company. Venture issuers are not exempt from the ICFR design certification require- ments; there are important practical considerations for all smaller companies, TSX listed as well as TSX-V listed, to address that typically arise from their smaller size and stage of development as a business. MI 52-109 requires that they certify the design of ICFR, although their organizational characteristics and lack of financial resources may result in some weaknesses in ICFR that they may conclude cannot be readily or immediately corrected in a cost-effec- tive way. This would, on the face of things, preclude them from providing the required certification (the wording of which cannot be amended) about the design of ICFR. Recognizing this problem, in September 2006, the CSA issued Staff Notice 52-316, indicating the circumstances in which, in the view of CSA staff, cer- tifying officers can certify the design of ICFR even when they have identified weaknesses in its design. 2 The full MI 52-109 annual certificate for 2006 is reproduced in Appendix A. 3 See CSA Notice 52-313, March 10, 2006.  The CSA also indicated the revised instrument would be known as National Instrument 52-109. 5 About two thirds of Canadian TSX and TSX-V reporting issuers have market cap under $25 million. 2 A. Introduction
  • 10. Internal Control: Helping Smaller Public Companies with Certification and Disclosure about Design of Internal Control over Financial Reporting About This Publication This publication briefly discusses the implications of ICFR certification and disclosures for boards of directors and audit committees of smaller issuers, and suggests an approach that CEOs and CFOs may wish to adopt in assess- ing ICFR design and identifying ICFR weaknesses. It focuses in particular on MD&A disclosure issues about ICFR design, especially where ICFR design weaknesses exist at the end of the year, and includes illustrative examples of MD&A disclosure regarding various typical ICFR weaknesses. The publica- tion briefly discusses external auditor involvement with ICFR and related MD&A disclosures about ICFR. It concludes with a look ahead to the final wave of certification when the CSA introduces and finalizes its requirements for certification and disclosure about the operational effectiveness of ICFR, which are not expected to come into force until 2008. The authors emphasize that ICFR should not just be about designing a response that complies with the minimal financial reporting requirements of securities regulators. A well-designed ICFR system provides reasonable assur- ance that assets are safeguarded, transactions are appropriately authorized and recorded, and reliable financial information is reported to internal deci- sion makers as well as to external users. In short, a well-designed ICFR system contributes to the enterprise’s ability to make decisions that help it achieve its business objectives, including those regarding competitive advantage and long-term development. We believe the disclosure of material weaknesses in the design of ICFR and the expected CSA requirements regarding evaluation of the operational effec- tiveness of ICFR represent an important step in the evolution of financial reporting. Readers of financial statements will be given information that will enable them to better assess whether there is a risk of the financial statements not being presented in accordance with GAAP. These disclosure requirements have the potential to be “leading indicators,” in that the goal is to provide readers of financial statements with information that could indicate the pos- sibility of material errors arising in financial statements to be issued in the future. Unfortunately, there is also a down side to this disclosure requirement. If a company is forced to make a restatement at a future date to correct a material error made in the current year, then investors may turn to the earlier MD&A to see if an ICFR weakness relating to the error was disclosed. The authors wish to state at the outset that the existence of a weakness in design of ICFR in a small issuer should not necessarily be interpreted as evi- dence of a lack of integrity, of unsound business practices or of unacceptable risks to its shareholders and other interested parties. Transparency and com- pleteness by a smaller issuer in its disclosures about ICFR can be effective in building credibility and confidence in its financial reporting and the way in which it conducts its business. 3 A. Introduction
  • 11. B Implications for Boards of Directors and Audit Committees of Small Issuers The certification and disclosure requirements raise important questions for audit committees and boards of directors of small issuers, especially when management has identified weaknesses in the design of ICFR. • What assurance does the board need when it is asked to approve the finan- cial statements where ICFR design weaknesses have been identified, which may mean material errors or misstatements have not been prevented or detected? • What action is needed if the assessment process identifies material ICFR design weaknesses that existed when earlier financial statements were approved and issued? • Is management’s plan for remediating a material ICFR design weakness reasonable? • Are management’s reasons for not correcting a material ICFR design weak- ness in the best interests of the company and acceptable to its shareholders? MI 52-109 does not require audit committees, boards of directors or external auditors to review or approve the CEO and CFO certificates. Audit commit- tees are, however, required to review the MD&A6, which must already include disclosure of the certifying officers’ conclusions about the effectiveness of the company’s DC&P, based on management’s evaluation of it. Now, the MD&A must also contain disclosures about ICFR changes and possibly disclosure about any identified, unremediated material weaknesses in ICFR design. For these reasons, we consider that boards and audit committees of all small reporting issuers need to understand and be satisfied with the design assess- ment process that forms the basis for the resulting ICFR certification and dis- closure decisions. The board and audit committee also need to satisfy themselves that disclo- sures regarding DC&P and ICFR in the MD&A are complete and fairly pre- sented — just as it would for all other disclosures included in the MD&A. 6 MI 52-110, Audit Committees, states that audit committees must review the issuer’s financial statements, MD&A and annual and interim earnings press releases before the issuer publicly discloses this information. 5
  • 12. Internal Control: Helping Smaller Public Companies with Certification and Disclosure about Design of Internal Control over Financial Reporting We make these suggestions for three reasons. First, an understanding of the certification process and management’s con- clusions provides the audit committee with an opportunity to better assess the strengths and weaknesses of the control systems of the issuer, and where appropriate initiate or support actions to improve controls. Second, an understanding of the certification process and management’s con- clusions provides the audit committee with: (a) an understanding of the judgments made by the CEO and CFO in prepar- ing to certify the effectiveness of ICFR design, particularly where unre- mediated material ICFR design weaknesses are disclosed in the MD&A, either together with remediation plans or with management’s reasons for not proposing any remediation; and (b) a basis for assessing the reasonableness, completeness and transparency of the proposed MD&A disclosures that are to be approved by the board. Third, it should help the audit committee and directors establish a defence in the event of proceedings under provincial civil liability legislation for second- ary market disclosures, which now exists in Alberta, Manitoba and Ontario. The CICA’s September 2006 publication for audit committees and boards of directors, Internal Control 2006: The Next Wave of Certification — Guidance for Directors, includes 20 questions that audit committees and boards may wish to ask of CEOs and CFOs as part of their due diligence and oversight process, to assure themselves that the CEO and CFO have conducted a duly rigorous assessment of the design of ICFR. These questions are appropriate for all sizes of reporting issuers. In addition, through their more active involve- ment and oversight of control monitoring, audit committees of smaller issuers can play a particularly valuable role in guarding against possible management override of controls. Asking appropriate questions is essential for effective oversight. B. Implications for Boards of Directors  and Audit Committees of Small Issuers
  • 13. C Identifying Weaknesses in Design of Internal Control over Financial Reporting This chapter focuses on the key features of a process for identifying ICFR design weaknesses that must be considered when making the certification and disclosure decisions discussed in chapter D. Most smaller issuers will readily be able to conclude whether or not they have ICFR design weaknesses to be addressed from a certification and disclosure point of view by considering the characteristics of smaller issuers (discussed in Appendix 2) and the key features of the recommended process for assessing ICFR design. The CICA publication, Internal Control 2006: The Next Wave of Certifica- tion — Guidance for Management, recommends a three-stage approach, which has seven steps for certifying the design of ICFR. A key feature of that approach is that it is based on a practical top-down, risk-based phi- Process for Certifying the Design of ICFR losophy, rather than a bottom-up, transaction based, com- prehensive checklist mentality. In other words, it focuses on what is important in terms of financial reporting risks. 1 Preparation Stage Review Relevant Control Information The diagram (to the left) summarizes the recommended 2 Identify Relevant Control design assessment process. Systems and Material Account Balances It may not be necessary to work through every step in the 3 Review Principal Financial Reporting and Disclosure Risks process illustrated in the above mentioned diagram in order to reach a supportable conclusion about the design of ICFR and the existence, nature and potential impact of Assessment of Design Stage 4 Assess Control Environment any ICFR design weaknesses in a small issuer. Instead, it 5 Assess Other Entity Level Controls will often be more useful to focus on what is important. 6 6 6 6 6 6 6 As discussed in more detail in Internal Control 2006: The Process Control A Process Control B Process Control C Process Control D Process Control E Process Control F Process Control G Next Wave of Certification — Guidance for Management, the steps in the Preparation Stage are important to the top-down, risk-based approach. These steps are to: 1. Review information that suggests the existence of pos- 7 Conclusions and Disclosure Stage Assess Findings, Form Conclusions sible ICFR weaknesses, such as errors detected by the and Make Appropriate Disclosures external auditors or management in the closing process, and control issues raised in external auditors’ manage- ment letters. 
  • 14. Internal Control: Helping Smaller Public Companies with Certification and Disclosure about Design of Internal Control over Financial Reporting 2. Identify the relevant control systems and the related material account bal- ances that are most important and relevant to the business and its financial statements. 3. Identify and assess the principal risks that could adversely impact financial reporting and disclosure. In the Assessment of Design Stage, we believe it is useful to distinguish between three levels of control that exist in smaller companies: • The overall control environment including the “tone at the top” and the extent and nature of involvement of the audit committee and board of directors. • Controls over the preparation of financial statements, including controls regarding accounting estimates, closing adjustments and the application of accounting principles in the preparation of financial statements and the information disclosed in the notes to the financial statements. • Controls in the various accounting systems that capture, summarize and record the routine accounting transactions (e.g., recording of revenue, expenses, etc.) on which the financial statements are based. These are referred to as process controls. The effectiveness of controls over the routine accounting transactions and the preparation of financial statements is influenced, for better or worse, by the effectiveness of the control environment (“tone at the top”) and other entity level controls. Where the control environment is weak, the effectiveness of process level controls may be impaired. In smaller public companies, the state of internal control in general, and ICFR in particular, may be reasonably apparent to the CEO and CFO without them having to conduct a detailed evaluation of all aspects of ICFR. This would often be the case in companies where, for example, day-to-day internal busi- ness relationships are close, there are few employees in the finance and report- ing functions, and the board’s involvement and oversight enable it to have a good understanding of the general operating circumstances and staff comple- ments. As an entity level control in many smaller companies, the CEO and CFO are often actively involved in the day-to-day operations of the business, which can have a positive impact on controls over the authorization of transactions, safe- guarding of assets, etc. On the other hand, the CEO’s and CFO’s active involve- ment in the business may not have the same positive impact on the preparation of financial statements, particularly in situations where there is an exposure to management override. Potential for management override is discussed further in Appendix 2, Characteristics of small companies that affect ICFR. Information technology can have both a positive and negative effect on the design of ICFR in small companies. The widespread use of commercial accounting packages by smaller companies has generally improved controls at the transaction processing level, especially where proprietary packages cannot be modified. However, these benefits may not be realized if staff have insufficient IT expertise to fully understand the software they are using or if access and system security controls are weak. The ICFR implications of use of information technology are discussed further in Appendix 2. C. Identifying Weaknesses in Design of Internal Control  C. over Financial Reporting
  • 15. Internal Control: Helping Smaller Public Companies with Certification and Disclosure about Design of Internal Control over Financial Reporting Some smaller company executives have told the authors that, given a sound control environment, the process level controls in a small company are likely to be more effective and their design can be more easily assessed. They sug- gest that, except for situations involving complex accounting for transactions (for example, revenue recognition for multiple element contracts), a general understanding of the processing systems involved in initiating, recording, summarizing and reporting routine transactions may, in most instances, be sufficient to enable the CEO and CFO to conclude on the design of process level controls because of their closeness to the business. In our view, an effective design of ICFR requires some level of documentation of the controls over routine accounting processes. This level of documenta- tion may be at a reasonably high level (i.e., the “understandability” level) for most processes, with some additional detail to describe the controls in place for the areas identified through the risk assessment process as posing a higher risk — such as those involving the application of more complex GAAP. It is also important that the process for assessing ICFR design (i.e., one that is appropriate to the smaller company’s particular circumstances) be suitably documented. All of the above information provides the CEO and CFO with the documented facts and knowledge they need to assess the findings, form conclusions and provide the certifications of ICFR design, decide on any remedial actions to be taken regarding identified ICFR design weaknesses, and prepare the neces- sary MD&A disclosures. C. Identifying Weaknesses in Design of Internal Control 9 C. over Financial Reporting
  • 16. D MD&A Disclosures About ICFR and ICFR Design Weaknesses This chapter focuses on issues to be considered when deciding the MD&A disclosures to be provided about the design of ICFR and any design weak- nesses that may be identified, taking into account the CSA requirements and reporting that best meets users’ needs. The chapter also provides examples to illustrate how these disclosures may appear for several typical ICFR weak- nesses. MI 52-109 is intended to increase the transparency about controls over dis- closures in general, and financial reporting in particular. This transparency provides users with helpful insights into the reliability of an issuer’s reported financial information, the issuer’s commitment to sound internal control, and decisions made by management with respect to certain control risks. Users can then make their own informed judgments as to whether management’s decisions about controls and related risks are in the best interests of the com- pany and its shareholders and will have the desired impact on the reliability of financial reporting. This chapter provides guidance in preparing the supporting disclosures to be provided in the MD&A with respect to the certifications by the CEO and CFO, and specifically that they have: “designed such internal control over financial reporting, or caused it to be designed under our supervision, to provide reasonable assurance regard- ing the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with the issuer’s GAAP”. This is an important issue when the certifying officers have concluded that, as of the end of the reporting period, one or more material weaknesses exist in ICFR design. 11
  • 17. Internal Control: Helping Smaller Public Companies with Certification and Disclosure about Design of Internal Control over Financial Reporting Disclosure Decisions: Requirements and Recommendations Chart 1 illustrates a decision tree that CEOs and CFOs can use in making disclosure decisions. It starts with a list of typical ICFR design weaknesses that management might have identified through an approach such as the one discussed in chapter C. (The chart does not deal with required disclosures about ICFR changes in the most recent interim reporting period.) e.g. • weakness in revenue recognition • lack of GAAP/accounting expertise • lack of control documentation Consider each • lack of control monitoring identified design • weakness in control environment CHART 1 • evidence of management override weakness in ICFR • lack of segregation of duties Deciding on MD&A Disclosures about • weakness in IT controls Identified Weaknesses in ICFR • integration of acquisition • delegation of authority (This chart does not address disclosure about Q4 changes in ICFR.) What is the Less than a probability that the ICFR weakness could result in a Reasonable reasonable material error in the possibility possibility financial statements? Take steps to achieve reasonable assurance that there are no material Is the ICFR error(s) in annual or interim periods’ weakness financial statements significant? Is weakness Yes remediation No reasonably feasible and planned? Yes No Take appropriate Take appropriate corrective action, & MD&A disclosure MD&A disclosure corrective action if advise audit about weakness/es, about weakness/es, reasonable to do so committee and steps taken re F/S & steps taken re F/S & (no disclosure auditors accordingly approved reason why no required) (no disclosure remediation plan remediation plan required) The first step is to consider each identified, unremediated ICFR design weak- ness and determine whether it is material. While the concept of materiality is discussed further below, we suggest that the fundamental principle for deter- mining whether an identified weakness is material is to form a judgment on the likelihood of the weakness failing to prevent or detect a material error in financial statements. If management’s judgment is that it is reasonably pos- sible that the ICFR weakness could result in a material error in the financial statements, then the weakness should be considered material. If a weakness is not considered material — i.e., it is not likely to impair the reli- ability of financial statements — management will need to decide what correc- tive action, if any, is appropriate to take, depending upon the significance of the weakness. For an ICFR weakness that is considered material, management must take steps to achieve reasonable assurance that no material errors exist in the financial statements. The appropriate steps to take to achieve such assurance D. MD&A Disclosures About ICFR 12 and ICFR Design Weaknesses
  • 18. Internal Control: Helping Smaller Public Companies with Certification and Disclosure about Design of Internal Control over Financial Reporting will depend on the nature of the weakness. For example, for a weakness that is lack of GAAP proficiency, the external audit of the financial statements and any adjusting journal entries required as a result may be the appropriate steps. If the identified weakness involves management override of controls or appli- cation of accounting policies, then extra involvement and enquiry by the audit committee and board of directors may be necessary. Next, management needs to determine what, if anything, will be done to cor- rect or remediate each identified material design weakness. In some instances, management of smaller issuers may decide that it is not practical or cost-effec- tive to take any action at all. (Examples of possible action plans and related disclosures are provided later in this chapter.) Determining the actions to be taken to remediate a material design weakness is important because, accord- ing to CSA Staff Notice 52-316, acceptable disclosure in the period end MD&A about an unremediated ICFR weakness should include: “…the issuer’s plan, if any, to remediate the weakness. If no such plan exists, the issuer should consider disclosing its reasons for not planning to remediate the weakness.” The CICA publication Internal Control 2006: The Next Wave of Certifica- tion — Guidance for Management suggests that the disclosure of a plan for remediating an identified material weakness in ICFR design should indicate the actions planned by management, and also: • When the planned actions are to take place • The commitment and capability to carry them out, and • That the plan has been approved by the audit committee as well as the CEO and CFO. The CICA guidance recommends that these disclosures be provided in future periods until the audit committee is satisfied that the remediation plan has been fully implemented. The final step is for management to prepare satisfactory MD&A disclosure about each material design weakness. At a minimum, the disclosures must satisfy MI 52-109 and take into consideration CSA Staff Notice 52-316. Man- agement may chose to provide further information to help investors better understand the situation and maintain their confidence in the company, its management and its reporting. CSA Staff Notice 52-316 indicates that the certifying officers may certify the design of the issuer’s ICFR when weaknesses exist, provided that “the disclo- sure about the identified weakness presents an accurate and complete picture of the condition of the design of the issuer’s ICFR.” MI 52-109 does not explic- itly require the disclosure of weaknesses in design of ICFR, but issuers are required to provide MD&A disclosure of the certifying officers’ conclusions about the effectiveness of disclosure controls and procedures. The CSA staff suggest those conclusions should include the disclosure of identified weak- nesses in DC&P and, given the substantial overlap between the definitions of DC&P and ICFR, should, therefore, include MD&A disclosure about the nature of ICFR design weaknesses. D. MD&A Disclosures About ICFR 13 and ICFR Design Weaknesses
  • 19. Internal Control: Helping Smaller Public Companies with Certification and Disclosure about Design of Internal Control over Financial Reporting CSA Staff Notice 52-315 reported a disturbing statistic. Approximately 28% of issuers reviewed by the CSA failed to include disclosure about the DC&P in their 2005 annual MD&As. It is reasonable to expect that the CSA will check to ensure that this disclosure is contained in 2006 filings7. If a required disclosure is not provided, the issuer may be forced to refile its MD&A to cor- rect this disclosure deficiency and could also be exposed to further regulatory and/or civil actions. Given the transparency objective noted above, we believe that, as a general principle, appropriate disclosure is required about each specific material ICFR design weakness that exists at the end of the reporting period. We believe that a simple, generic “catch all” disclosure about ICFR design weakness would neither meet investors’ needs nor the intent of the CSA certification require- ments and related staff notices. Separate MD&A disclosures are also required where a change has occurred in ICFR in the most recent interim reporting period that has materially affected or is reasonably likely to have a material effect on ICFR — either positively or negatively. Changes are to be disclosed in the MD&A and the CEO and CFO are required to certify that such disclosures have been made. Changes in ICFR may be to correct an identified weakness, or simply to change ICFR because of, for example, the implementation of a new accounting system, or changes that arise from the integration of a newly acquired subsidiary. In all disclosure about ICFR design and weaknesses, it is essential for the CEO and CFO to be able to conclude that there is reasonable assurance regarding the reliability of financial reporting, notwithstanding the disclosed weakness in design of ICFR. If such a conclusion cannot be reached, then legal counsel should be consulted by management and the board. Materiality While the accounting literature contains guidance in determining materiality, no Canadian guidance exists to help management evaluate the likelihood of errors occurring, or to determine what would constitute a “low” likelihood vs. a “high” likelihood. However, the U.S. guidance for external auditors in eval- uating control deficiencies may be useful to CEOs and CFOs in assessing the impact of deficiencies detected in ICFR design. The U.S. PCAOB8 defines a material weakness as “a significant deficiency, or combination of significant deficiencies, that results in a more than remote likelihood that a material misstatement of the annual or interim financial statements will not be prevented or detected.” All material weaknesses would need to be disclosed. In the U.S., control deficiencies that are less serious than a material weakness but are “significant” are required to be disclosed to the audit committee. Furthermore, if one or more material weaknesses exist at the company’s year end, management and the external auditor must conclude that ICFR is not effective. 7 See for example the Continuous Disclosure Review Program report by the Alberta Securities Commission issued in February 2007. 8 See Public Company Accounting Oversight Board Auditing Standard No. 2. D. MD&A Disclosures About ICFR 14 and ICFR Design Weaknesses
  • 20. Internal Control: Helping Smaller Public Companies with Certification and Disclosure about Design of Internal Control over Financial Reporting The U.S. test of “more than a remote likelihood” that a material misstatement will not be prevented or detected by the ICFR design weakness is a very low threshold and a tough standard to use in the assessment of ICFR design weak- nesses. In December 2006, PCAOB proposed replacing the term “more than a remote likelihood” with the term “reasonable possibility” — meaning more than remote but less than probable. It also proposes using the term “control deficiency or combination of control deficiencies” instead of “significant deficiencies”. The concept of “more than inconsequential” used in defining “significant deficiency” is also to be removed. The term “significant”, it is pro- posed, will mean “less than material yet important enough to merit attention by those responsible for oversight of the company’s financial reporting”. In our view, these proposals will help solve some of the problems associated with the current definitions and requirements of PCAOB Auditing Standard Number 2. However, they are, at time of writing, only proposals and have yet to be approved. The SEC’s December 2006 proposed interpretive guidance for management on ICFR may also be helpful in considering the factors that determine whether or not an ICFR weakness is material. We advised in the CICA’s September 2006 publication Internal Control 2006: The Next Wave — Guidance for Management, that material weaknesses need be brought to the attention of the audit committee, and that the issuer’s legal counsel should be consulted to determine that the proposed course of action and disclosure are appropriate having regard to CSA Staff Notice 52-316 and applicable statutory civil liability provisions regarding secondary market dis- closures. In the absence of any authoritative Canadian guidance, CEOs and CFOs must apply their professional judgment in assessing the materiality of their findings with respect to the design of ICFR and determining the appropriate disclosure in the MD&A. Given this lack of guidance, we believe it is important that the CEO and CFO document their conclusions about the materiality of identified weaknesses, including their supporting rationale, and review this with the audit committee. We also point out that, if there is a restatement in a subsequent reporting period to correct financial statement errors that occurred in the current reporting period, regulators (and potential plaintiffs) will look to see whether a design weakness in ICFR was disclosed to alert the reader of the financial statements. If a design weakness was identified but not disclosed, the burden of proof would be on the officers and directors to justify their decision not to disclose, since investors are entitled to assume that the design of ICFR pro- vides reasonable assurance regarding the reliability of the company’s financial reporting. In Internal Control 2006: The Next Wave of Certification — Guidance for Management, we cautioned issuers against trying to rationalize why an ICFR weakness is not really material and does not need to be disclosed. Significant weaknesses in the design of ICFR that management believes do not warrant public disclosure (i.e., they are significant but not material) should at least be brought to the attention of the audit committee. D. MD&A Disclosures About ICFR 15 and ICFR Design Weaknesses
  • 21. Internal Control: Helping Smaller Public Companies with Certification and Disclosure about Design of Internal Control over Financial Reporting Disclosure When No Material ICFR Design Weaknesses are Identified When no material weaknesses in ICFR design have been identified at the end of the reporting period, we recommend that the MD&A should disclose that the CEO and CFO have: • evaluated the operating effectiveness of disclosure controls and proce- dures, • assessed the design of internal control over financial reporting, • concluded that DC&P are effective (if that is the case) based on their evalu- ation of it, and • concluded that no material weaknesses have been identified in the design of ICFR. The following is an example of such disclosure: The CEO and CFO have evaluated the effectiveness of the company’s dis- closure controls and procedures and assessed the design of its internal control over financial reporting as of December 31, 2006, pursuant to the requirements of Multilateral Instrument 52-109. The CEO and CFO have concluded, based on this evaluation, that the company’s disclosure controls and procedures are effective, and that the design of internal control over financial reporting provides reasonable assurance regarding the reliability of the company’s financial reporting and the preparation of the company’s financial statements for external purposes in accordance with (Canadian) GAAP. Where no changes in ICFR occurred in the preceding interim reporting period, it may be useful to add the following to the MD&A disclosure: Furthermore, there were no changes in internal control in the fourth quarter that we considered should be disclosed. Disclosure When Material ICFR Design Weaknesses are Identified When management has determined that material weaknesses exist in the design of ICFR at the end of the reporting period, we suggest using a four-part framework for providing disclosure in the MD&A. The framework takes into account the disclosure aspects of the CSA certification requirements under MI 52-109, together with the expectations expressed in CSA Staff Notice 52-316 and the CICA’s publication Internal Control 2006: The Next Wave of Certification — Guidance for Management. Of course, companies may choose to expand their disclosure about ICFR and design weaknesses beyond these minimum requirements when the result enhances the overall usefulness of the disclosure. The four elements of the suggested framework for disclosing ICFR design weaknesses are discussed below. The Design Assessment Process In preparing this disclosure, management should bear in mind that the con- tents of the certificates required by MI 52-109 do not need to be provided in the MD&A. Readers will likely need to be informed why the disclosures about DC&P and ICFR are being made, the fact that effective DC&P and ICFR provide reasonable, not absolute, assurance, and what process was followed to identify any ICFR design weaknesses. Therefore, the MD&A disclosure could D. MD&A Disclosures About ICFR 1 and ICFR Design Weaknesses
  • 22. Internal Control: Helping Smaller Public Companies with Certification and Disclosure about Design of Internal Control over Financial Reporting begin by explaining why the design of ICFR was assessed and, since MI 52- 109 leaves it to management to determine the extent of the assessment, a brief description of the process management used to assess the design of ICFR. Weakness Descriptions The disclosure should describe each material weakness in ICFR design that existed at the end of the period in enough detail for readers to understand the nature of the weakness and the risks associated with it. The disclosure should also state that weaknesses in the design of ICFR likely constitute weaknesses in disclosure controls and procedures, unless there is a good reason to believe otherwise, in which case that reason should be stated. This needs to be reflected or referenced in the MD&A disclosure about management’s conclusions of its evaluation of the effectiveness of disclosure controls and procedures. Remediation Plans An overview of the plan to remediate the ICFR design weaknesses should be provided, including a description of the actions that have been or will be taken, when those actions were or will be taken, and a confirmation of both the commitment and the capability to carry out the actions as planned. If a remediation plan does not exist, we recommend that management disclose the reasons for not planning to remediate the ICFR design weakness. This recommendation is based on CSA Staff Notice 52-316, which says that issu- ers should “consider” disclosing their reasons for not planning to remediate an ICFR design weakness. It may also be useful if this disclosure references management’s communication with the audit committee and its concurrence about actions that will or will not be taken. Mitigating Activities over Accuracy of Financial Reporting We recommend that management provide a summary of any steps they have taken (other than reliance on the work and opinion of the external auditors in performing and reporting on their audit of the financial statements) to satisfy themselves that identified weaknesses in the design of ICFR have not resulted and likely will not result in material errors in the quarterly and annual financial statements. We also recommend that issuers disclose the steps they plan to take to provide similar assurance regarding future financial statements that will be issued before the identified material ICFR design weaknesses are remediated. An example of an appropriate mitigating strategy would be for management or those in charge of governance to request the external auditor to conduct additional procedures such as an agreed-upon procedures engagement or an auditor’s review of quarterly financial statements, or both. Management could then include a general reference9 to this additional work in their disclosures in the MD&A, similar to the following: “Management and the audit committee have engaged the external audi- tor to perform additional procedures until the control weaknesses noted above have been remediated. In their due diligence efforts to ensure that 9 Note that the following suggested wording for MD&A disclosure omits reference to an auditor’s review of interim financial statements. Readers are also reminded that, pursuant to National Instrument 51-102 Paragraph .3(3)(a)), if an auditor has not performed a review of the interim financial statements required to be filed, the interim financial statements must be accompanied by a notice indicating that the financial statements have not been reviewed by an auditor. D. MD&A Disclosures About ICFR 1 and ICFR Design Weaknesses
  • 23. Internal Control: Helping Smaller Public Companies with Certification and Disclosure about Design of Internal Control over Financial Reporting the financial statements filed with the Commission present fairly in accor- dance with Canadian generally accepted accounting principles, manage- ment and the audit committee will be considering the additional infor- mation coming to their attention as a result of the completion of these additional procedures”. If it is considered not practical to remediate a material design weakness, the possibility still exists that prior and current period financial statements could contain one or more undetected and uncorrected material errors. If the exter- nal auditors’ plan and approach took the weakness into account from the outset, this may have led them to conduct the necessary audit procedures to satisfy themselves that an unqualified audit opinion is appropriate. The next three quarterly financial statements are likely to be exposed to errors resulting from this weakness, however, unless action is taken to mitigate the impact of these weaknesses until they are remediated. In our view, an instance where a material weakness is not remediated and no mitigating activities are per- formed represents a serious situation that should be discussed with the issuer’s board and legal counsel. Disclosure Examples Illustrations of some MD&A disclosures relating to the more typical material ICFR design weaknesses that an issuer may determine to exist are presented below. The examples do not constitute an all-inclusive list, nor is it suggested that the wording used in the examples be applied in any given situation. Reporting issuers should ensure that in their MD&A disclosures they accu- rately reflect and describe their individual facts and circumstances. While most of the examples relate to situations that could be encountered in small reporting issuers, we believe they could be relevant to larger reporting issuers as well. Many of these examples deal with situations where the report- ing issuer considers that remediation of the ICFR design weakness is realisti- cally feasible and has accordingly developed and approved a remediation plan. One example (related to the segregation of duties) discusses a situation where the reporting issuer considers that remediation is not realistically feasible and not in the best interests of the company, and therefore has no remediation plan. In accordance with CSA Staff Notice 52-316, these examples take the posi- tion that ICFR design weaknesses are also weaknesses in disclosure controls and procedures (DC&P). The examples do not necessarily provide a complete picture of the disclosures that CEOs and CFOs would cause to be included in the MD&A about the conclusions they have reached from evaluating the effectiveness of DC&P. The examples are intended to illustrate that MD&A disclosures can help to enhance investors’ understanding of management’s judgments regarding cost-effective internal control decisions, in turn strengthening the quality of financial reporting. Issuers should not adopt these examples literally but rather apply their own judgment, and seek external advice where necessary, when adapting any of these examples to reflect their particular circumstances. In all cases, the examples assume a December 31, 2006 year end. D. MD&A Disclosures About ICFR 18 and ICFR Design Weaknesses
  • 24. Internal Control: Helping Smaller Public Companies with Certification and Disclosure about Design of Internal Control over Financial Reporting The following table lists 10 disclosure examples for typical weaknesses and relates them to the typical characteristics of smaller issuers (discussed in Appendix 2) to assist users in matching these examples with the typical char- acteristics of smaller issuers. Characteristics of Smaller Companies That May Affect ICFR (positively or negatively) Concentra- tion of power, Effective- Stage of potential ness of Limited Limited pro- Lack of for- company’s Smaller IT systems, for man- audit staff and fessional mal policies develop- size, less pack- agement committee segregation accounting and proce- ment as a complex ages and override and board of duties expertise dures business operations practices Typical ICFR Design Weaknesses: 1. Weakness in controls regard- ing revenue x x x x x x recognition 2. Lack of taxation and GAAP accounting x x x expertise 3. Lack of documentation about control x x x procedures 4. Lack of control monitoring and x x x x x x reconciliations 5. Weakness in the control environ- x x x ment 6. Weakness in entity level IT x x x x x x x controls 7. Management override of x x x x x controls 8. Inadequate segregation x x x x of duties 9. Incomplete integration x x x x x x x of acquisition 10. Inadequate poli- cies for approval of related party x x x x x transactions D. MD&A Disclosures About ICFR 19 and ICFR Design Weaknesses
  • 25. Internal Control: Helping Smaller Public Companies with Certification and Disclosure about Design of Internal Control over Financial Reporting 1. Weakness in controls regarding revenue recognition The CEO and CFO have evaluated the effectiveness of the company’s dis- closure controls and procedures and assessed the design of the company’s internal control over financial reporting as of December 31, 2006, pursu- ant to the certification requirements of Multilateral Instrument 52-109. Management has concluded that, as of December 31, 2006, a weakness existed in the design of internal control over financial reporting caused by a lack of adequate accounting policies and procedures for recognizing revenue. This design weakness has the potential to result in material mis- statements of revenue, accounts receivable, deferred revenue, net income and retained earnings. It should also be considered a weakness in the issuer’s disclosure controls and procedures. Management has engaged external advisors to develop, and assist the company in implementing, additional accounting policies and control procedures with respect to the recognition of revenue. Management and the audit committee have also engaged the external auditor to carry out certain additional procedures regarding future interim financial state- ments until these additional accounting policies and control procedures have been implemented. 2. Lack of taxation and GAAP accounting expertise Under the supervision of the CEO and CFO, management evaluated the effectiveness of the design and operation of the company’s disclosure con- trols and procedures and assessed the design of the company’s internal control over financial reporting as of December 31, 2006, pursuant to the requirements of Multilateral Instrument 52-109. During the year end audit, the external auditors detected an error in the computation of future income taxes, which was corrected in our accom- panying published financial statements. Management determined that this adjustment was caused by a lack of adequate understanding of taxa- tion and accounting for income taxes and that this represented a material weakness in the design of internal control over financial reporting as of December 31, 2006. Based on their evaluation, the CEO and CFO concluded that disclosure controls and procedures were effective, despite the weakness in the design of internal control over financial reporting described above, because, as stated below, the ICFR design weakness has been remediated subsequent to the year end.10 Since the year end, management has recruited a professional accountant with the necessary competence in taxation and accounting under Cana- dian GAAP. 10 However, caution is needed in concluding that DC&P were effective as of the end of the period if at that point in time there was an unremediated ICFR design weakness. D. MD&A Disclosures About ICFR 20 and ICFR Design Weaknesses
  • 26. Internal Control: Helping Smaller Public Companies with Certification and Disclosure about Design of Internal Control over Financial Reporting 3. Lack of documentation about control procedures The CEO and CFO have evaluated the effectiveness of the company’s dis- closure controls and procedures and assessed the design of the company’s internal control over financial reporting as of December 31, 2006, pursu- ant to the requirements of Multilateral Instrument 52-109. Management has concluded that, as of December 31, 2006, a weakness existed in the design of internal control over financial reporting caused by the absence of a policy requiring documentation of the performance of critical control procedures. This weakness leads to uncertainty as to whether the control procedures are being carried out, such that mate- rial misstatements in the financial statements may fail to be prevented or detected. This weakness should also be considered a weakness in the company’s disclosure controls and procedures. Management has asked external advisors to submit proposals for devel- oping, and assisting the company in documenting and implementing, appropriate ICFR policies and procedures for key controls and the docu- mentation of their effective operation. No other actions are planned until a decision has been taken on the proposals. 4. Lack of control monitoring and reconciliations The CEO and CFO have evaluated the effectiveness of the company’s dis- closure controls and procedures and assessed the design of the company’s internal control over financial reporting as of December 31, 2006, pursu- ant to the requirements of Multilateral Instrument 52-109. Management has concluded that, as of December 31, 2006, a weakness existed in the design of internal control over financial reporting caused by a lack of timely monitoring of control procedures, such as timely reconciliations of bank accounts and subsidiary ledgers. This weakness could result in a failure to detect breakdowns in the effective operation of underlying controls and could result in material misstatements in the financial statements; this weakness should also be considered a weakness in the company’s disclosure controls and procedures. Management has concluded that it needs to assign specific control moni- toring responsibilities among senior executives to correct this weakness, with accompanying amendments to internal control documentation, including management job descriptions. Management and the audit committee have engaged the external auditor to carry out certain addi- tional procedures regarding future interim financial statements until this allocation of responsibilities has been completed and appropriate control monitoring procedures are implemented. 5. Weakness in the control environment The CEO and CFO have evaluated the effectiveness of the company’s dis- closure controls and procedures and assessed the design of the company’s internal control over financial reporting as of December 31, 2006, pursu- ant to the requirements of Multilateral Instrument 52-109. Management has concluded that, as of December 31, 2006, a weakness existed in the design of internal control over financial reporting caused by failure of the company to establish and communicate its expectations D. MD&A Disclosures About ICFR 21 and ICFR Design Weaknesses
  • 27. Internal Control: Helping Smaller Public Companies with Certification and Disclosure about Design of Internal Control over Financial Reporting regarding standards of business conduct in the interests of developing and maintaining a culture of integrity, and to oversee compliance with such standards. This weakness could result in business and accounting practices that could put both the company’s reputation and its financial reporting at risk. This weakness should also be considered a weakness in the company’s disclosure controls and procedures. Management and the board are in the process of establishing a written code of business conduct, and developing procedures to communicate it effectively and monitor its implementation throughout the organization. 6. Weakness in entity level information technology controls The CEO and CFO have evaluated the effectiveness of the company’s dis- closure controls and procedures and assessed the design of its internal control over financial reporting as of December 31, 2006, pursuant to the requirements of Multilateral Instrument 52-109. Management has concluded that, as of December 31, 2006, a material weakness existed in the design of internal control over financial report- ing caused by a lack of change management, security and access controls to ensure that all transactions entered into automated processing systems (and spreadsheets used in the preparation of financial statements) are processed in accordance with Canadian generally accepted accounting principles. This weakness in information system controls has the poten- tial to result in material misstatements in the financial statements as well as improper authorizations of transactions and inappropriate use of the company’s assets, and should also be considered a weakness in its disclo- sure controls and procedures. Management has engaged external advisors to assist the company in designing and implementing appropriate IT change management, secu- rity and access controls. Management and the audit committee have engaged the external auditor to carry out certain additional procedures regarding future interim financial statements until these new controls have been implemented. 7. Management override of controls The CEO and CFO have evaluated the effectiveness of the company’s dis- closure controls and procedures and assessed the design of the company’s internal control over financial reporting as of December 31, 2006, pursu- ant to the requirements of Multilateral Instrument 52-109. Management has concluded that, as of December 31, 2006, a weakness existed in the design of internal control over financial reporting caused by the discovery that certain documentation relating to the awarding of stock options may have been altered after the date at which these stock options were awarded. As announced in October 2006, the board com- missioned an independent review of this matter to report in due course on the results of this review. The board, however, has concluded that existing controls are not sufficient to prevent or detect backdating of the grant date of stock options and that this design weakness could result in mate- rial errors in the accounting for stock based compensation arrangements in the financial statements. This weakness should also be considered a weakness in the company’s disclosure controls and procedures. D. MD&A Disclosures About ICFR 22 and ICFR Design Weaknesses
  • 28. Internal Control: Helping Smaller Public Companies with Certification and Disclosure about Design of Internal Control over Financial Reporting The audit committee has been assured by the independent review com- mittee that there has been no material impact on the accounting for stock options and, with the board’s approval, has requested the independent review committee to make recommendations about controls relating to the granting and pricing of stock options in the future. 8. Inadequate segregation of duties The CEO and CFO have evaluated the effectiveness of the company’s dis- closure controls and procedures and assessed the design of the company’s internal control over financial reporting as of December 31, 2006, pursu- ant to the requirements of Multilateral Instrument 52-109. Management has concluded that, as of December 31, 2006, a weakness existed in the design of internal control over financial reporting caused by a lack of adequate segregation of duties between (a) the authorization, recording, review and reconciliation of purchases and sales, and (b) the recording of cash receipts and the reconciliation of bank accounts. This weakness has the potential to result in material misstatements in the company’s financial statements, and should also be considered a weak- ness in its disclosure controls and procedures. Management has concluded and the board has agreed that, taking into account the present stage of the company’s development and the best interests of its shareholders, the company does not have sufficient size and scale to warrant the hiring of additional staff to correct this weakness at this time. To help mitigate the impact of this weakness and to ensure quality financial reporting, the audit committee has engaged the external auditor to perform additional procedures regarding the company’s future interim financial statements. 9. Incomplete integration of acquisition The CEO and CFO have evaluated the effectiveness of the company’s dis- closure controls and procedures and assessed the design of its internal control over financial reporting as of December 31, 2006, pursuant to the requirements of Multilateral Instrument 52-109. Management has concluded that, as of December 31, 2006, a weakness existed in the design of internal control over financial reporting caused by the company’s inability to complete the integration of the accounting sys- tems and internal controls over financial reporting in “a newly acquired subsidiary” following the acquisition of “the newly acquired subsidiary” in the fourth quarter. The company applied for and received from (“the securities regulator”) an exemption from the requirement in MI 52-109 under Part , item .5 (1), to include within the scope of clause  (c) in the CEO and CFO certificates the internal controls over financial reporting at “the newly acquired subsidiary”, since it was not reasonably practical to complete an assessment of the design of ICFR in “the newly acquired subsidiary” before the financial statements were issued. Management will continue to take the steps necessary to assess and advance the integration of business processes, accounting systems and ICFR of the “newly acquired subsidiary” by the end of the first quarter of 2007. To mitigate the potential impact of this weakness and to ensure D. MD&A Disclosures About ICFR 23 and ICFR Design Weaknesses
  • 29. Internal Control: Helping Smaller Public Companies with Certification and Disclosure about Design of Internal Control over Financial Reporting quality financial reporting, the audit committee has engaged the exter- nal auditor to perform additional procedures regarding the company’s interim financial statements for the next two quarters. 10. Inadequate policies for approval of related party transactions The CEO and CFO have evaluated the effectiveness of the company’s dis- closure controls and procedures and assessed the design of the company’s internal control over financial reporting as of December 31, 2006, pursu- ant to the requirements of Multilateral Instrument 52-109. Management has concluded that, as of December 31, 2006, a weakness existed in the design of internal control over financial reporting due to the fact that there was not an appropriately specific, board-approved policy regarding authorization of contractual arrangements and transac- tions that involve related parties. This weakness has the potential to result in material misstatements in the financial statements as well as improper authorizations of transactions and unauthorized acquisition, use and dis- position of the company’s assets, and should also be considered a weak- ness in the company’s disclosure controls and procedures. Management is developing a comprehensive set of policies for contractual arrangements and transactions with related parties to be submitted to the board of directors for approval. To mitigate the potential impact of this weakness and to ensure quality financial reporting, the audit committee has engaged the external auditor to audit a management prepared listing of transactions involving amounts in excess of ($X) and to carry out addi- tional procedures concerning the company’s contracting practices. The above examples illustrate only some of the types of material weakness in ICFR design that may arise. They also present only some of the options avail- able to reporting issuers about remediation decisions and plans. Reporting issuers may choose to take other steps to mitigate the risk of misleading finan- cial reporting, including material misstatements in financial statements. Because of the potential consequences of incomplete or inaccurate disclosures, management and audit committees are encouraged to seek the advice of legal counsel when finalizing their MD&A disclosures about material weaknesses in ICFR design. This may be particularly important if previous certifications about disclosure controls and procedures have not indicated the existence of any material weaknesses in ICFR design. Consequences of Incomplete or Inaccurate Disclosures Although issuers may be understandably concerned about disclosing material weaknesses in the design of ICFR, these must be disclosed nevertheless. If they are not, there may be potential consequences, such as: • Exposure of board and officers to civil liability for misleading disclo- sures — particularly if there is a subsequent restatement that is related to the design weakness • Possible increase in cost of capital due to a risk premium resulting from increased uncertainty about the reliability of the issuer’s financial reporting • Damage to the reputation of management and the board • Enforcement and administrative actions by regulators, including comment letters and possible refilings of the MD&A D. MD&A Disclosures About ICFR 24 and ICFR Design Weaknesses
  • 30. Internal Control: Helping Smaller Public Companies with Certification and Disclosure about Design of Internal Control over Financial Reporting • Auditor association difficulties (for example, the auditors might not be able to consent to the use of their audit report in a subsequent securities filing if they believe the disclosures in the MD&A includes misrepresentations about the design of ICFR — See also the CICA Audit Risk Alert Auditor Involvement with Management’s Internal Control Certifications, dated January 2007). It is, therefore, in the best interests of management, the board and investors to take all reasonable, appropriate steps to ensure that the CEO’s and CFO’s conclusions in the MD&A about the effectiveness of DC&P and the design of ICFR are complete, accurate and fairly presented. D. MD&A Disclosures About ICFR 25 and ICFR Design Weaknesses
  • 31. E External Auditor Involvement with ICFR Certification and Disclosures It is important that management and audit committees of reporting issuers understand the manner and extent to which external auditors are involved with evaluating and testing ICFR. External auditors are not involved in the certification of ICFR design, and are not required by MI 52-109 to provide any opinion on ICFR or on the CEO and CFO certifications about ICFR design. As a result of performing their audit of the financial statements, external audi- tors, however, acquire knowledge about ICFR. It is, therefore, wise for man- agement and audit committees to discuss with the auditors what involvement they have had with ICFR, the controls they have evaluated and tested, and whether they found any ICFR weaknesses. External Auditors and ICFR The work auditors perform in a financial statement audit cannot provide the type of assurance about the design or operating effectiveness of ICFR design that is available to audit committees and boards of inter-listed companies sub- ject to SOX 0. Canadian issuers that want to obtain such assurance would have to ask their auditors to perform an engagement with the specific objective of providing assurance on ICFR, which would require the auditor to perform additional procedures that are not included in financial statement audits. The terms of such an engagement would need to be agreed between the auditor and the issuer in advance (and approved by the audit committee) and would have to be appropriately documented. Although this type of engagement usually involves significant costs, it is prob- ably the most effective way of providing assurance to the issuer, and its officers and directors, with respect to ICFR and its effectiveness in relation to the reli- ability of the company’s financial reporting. Whether the benefits of such an assurance engagement are worth the costs, particularly for a small issuer, is something for each audit committee to determine, based on the company’s specific circumstances. A less costly option is to engage the external auditor to perform an agreed- upon procedures engagement that would support the audit committee’s due diligence assertion that it conducted a reasonable investigation. Such proce- 2
  • 32. Internal Control: Helping Smaller Public Companies with Certification and Disclosure about Design of Internal Control over Financial Reporting dures might include performing tests of those controls related to a selection of principal financial reporting and disclosure risks and processes. In such engagements the external auditor would: • agree with management and the audit committee as to the procedures to be performed • perform those procedures, and • report to management and the audit committee their findings. While “agreed-upon procedures” engagements do not provide assurance on the design or operating effectiveness of ICFR, they can be designed to provide facts and findings from which the audit committee should be able to draw inferences regarding key elements of ICFR design, and would assist the audit committee in supporting an assertion that it conducted a “reasonable inves- tigation.” They could also provide additional objective evidence for manage- ment and the audit committee to use in determining whether a weakness in design of ICFR constitutes a material weakness that should be disclosed. External auditors can also assist management with the documentation of con- trol procedures. However, depending on the nature and extent of services to be performed, auditors would need to be vigilant that the services they per- form pose no threat to their independence. Association with the MD&A External auditors are associated with the information in the MD&A and, therefore, with the MD&A disclosures about ICFR changes and weaknesses in ICFR design. The auditor is required to read the MD&A to assess whether matters discussed in the MD&A are inconsistent with the knowledge, includ- ing knowledge about ICFR, that was obtained in conducting the audit of the financial statements. Should the auditor conclude that MD&A disclosures about ICFR design are inconsistent with their knowledge (e.g., the MD&A does not disclose material weakness in the design of ICFR that the external auditor is aware of), then the auditor would communicate this fact to the audit committee, and take further appropriate action.11 11 Auditor association with MD&A disclosures regarding ICFR is more fully explained and dis- cussed in the AASB Risk Alert issued in January 2007, “Auditor Involvement with Manage- ment’s Internal Control Certifications”. E. External Auditor Involvement with ICFR Certification 2 and Disclosures
  • 33. F Conclusion — Preparing for the Fourth Wave of Certification The CSA’s proposed revisions to MI 52-109, which are expected to include requirements for CEO’s and CFO’s to certify the operating effectiveness of ICFR, were to be published by the end of March 2007.12 The new requirements will be effective for financial years ending on or after June 30, 2008. Issuers with December year-ends, therefore, will only be required to certify the design of ICFR in 2007, giving them an additional year to prepare for the certification of the operating effectiveness of ICFR. In our view, issuers should use this additional period to further strengthen their processes for assessing the design of ICFR, and to develop a top-down, risk-based approach for certifying the operating effectiveness of ICFR that is cost effective and helps them achieve business and compliance objectives. Some specific suggestions for issuers to consider as they prepare for the certi- fication of operating effectiveness are: • Review the process utilized in 2006 to assess the design of ICFR, the ben- efits achieved, and the actions to remediate any identified weaknesses. Determine how the process can be improved for 2007. • As part of the above review, ensure that an effective process exists to iden- tify principal business, disclosure and financial reporting risks, and that the design of DC&P and ICFR is aligned with those principal risks. • Ensure that the CEO’s and CFO’s evaluation of DC&P and assessment of ICFR are aligned with the assessment of principal risks. • Use 2007 to develop a well-designed, cost-effective approach to test ICFR and to support the CEO’s and CFO’s conclusions about its operating effec- tiveness. • Pilot the approach for testing the operating effectiveness of ICFR in 2007, and assess the results of the pilot test. • Consistent with a top-down approach, ensure that the plan for assessing the effectiveness of ICFR begins with tests of entity level controls before conducting tests of controls at the process control level. 12 These requirements are expected to apply to all issuers since all members of the CSA are expected to support the proposed National Instrument. 29
  • 34. Internal Control: Helping Smaller Public Companies with Certification and Disclosure about Design of Internal Control over Financial Reporting • Initiate a benchmarking effort to identify leading practices followed by companies that comply with SOX 0, or have been “early adopters” in certifying the operating effectiveness of ICFR. • Ensure that the audit committee and board of directors are appropriately involved with this process. A certification process that is properly organized to achieve both business and compliance objectives, building on the investments made in complying with the 2006 certification requirements and applying the lessons learned from that activity, will be important in developing a stronger internal control system that provides longer-term benefits to reporting issuers and their investors. F. Conclusion — Preparing for the Fourth Wave 30 of Certification
  • 35. A1 Appendix 1: Form 52-109F1 — Certification of Annual Filings I, <identify the certifying officer, the issuer, and his or her position at the issuer›, certify that: 1. I have reviewed the annual filings (as this term is defined in Multilateral Instrument 52-109 Certification of Disclosure in Issuers’ Annual and Interim Filings) of ‹identify issuer› (the issuer) for the period ending ‹state the relevant date›; 2. Based on my knowledge, the annual filings do not contain any untrue statement of a material fact or omit to state a material fact required to be stated or that is necessary to make a statement not misleading in light of the circumstances under which it was made, with respect to the period covered by the annual filings; 3. Based on my knowledge, the annual financial statements together with the other financial information included in the annual filings fairly present in all material respects the financial condition, results of operations and cash flows of the issuer,as of the date and for the periods presented in the annual filings; . The issuer’s other certifying officers and I are responsible for establishing and maintaining disclosure controls and procedures and internal control over financial reporting for the issuer, and we have: a. designed such disclosure controls and procedures, or caused them to be designed under our supervision, to provide reasonable assurance that material information relating to the issuer, including its consolidated subsidiaries, is made known to us by others within those entities, par- ticularly during the period in which the annual filings are being pre- pared; b. designed such internal control over financial reporting, or caused it to be designed under our supervision, to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with the issu- er’s GAAP; and 31
  • 36. Internal Control: Helping Smaller Public Companies with Certification and Disclosure about Design of Internal Control over Financial Reporting c. evaluated the effectiveness of the issuer’s disclosure controls and pro- cedures as of the end of the period covered by the annual filings and have caused the issuer to disclose in the annual MD&A our conclusions about the effectiveness of the disclosure controls and procedures as of the end of the period covered by the annual filings based on such evalu- ation; and 5. I have caused the issuer to disclose in the annual MD&A any change in the issuer’s internal control over financial reporting that occurred dur- ing the issuer’s most recent interim period that has materially affected, or is reasonably likely to materially affect, the issuer’s internal control over financial reporting. Signature Title Date 32 A1. Form 52-109F1 — Certification of Annual Filings
  • 37. Appendix 2: Characteristics A2 of Small Companies that Affect ICFR Weak ICFR design not only constitutes a financial reporting risk, it may also represent a principal risk to the organization and its ability to achieve its overall business objectives. To be effective and value-adding, ICFR should be aligned with the challenges, opportunities and risks the business faces as it competes for market share, customers, people and capital in its industry. Smaller companies often have particular characteristics that can impact the effectiveness of their internal control — characteristics typically related to the scale and reach of the enterprise, and its stage of development as a business enterprise. Smaller companies should focus their assessment of the design of ICFR on their specific operations and financial reporting needs. No single financial measure (such as size) is necessarily reflective of the company’s con- trol requirements. (For example, a small company may have simple operations but complex control requirements arising as a result of complex financing arrangements, unique stock based compensation arrangements or complex revenue recognition issues given its products and services.) While the controls necessary to address these complex areas would not likely vary much from those required to address comparable requirements in a larger organizations; reasonable and appropriate controls to address simpler, more routine transactions in a start-up would likely vary from the controls that would be reasonable and appropriate for similar routine transactions in a larger organization. The challenge for smaller organizations is to migrate and evolve their con- trols, particularly over routine transactions, as the organization matures. It has been suggested that the overall control mix in smaller organizations can often be characterized as 80% people based and 20% system and technology based, whereas in large organizations the reverse would be more common. Some of the characteristics of a smaller company that can affect ICFR include: • Concentration of decision-making power and the potential for manage- ment override • Effectiveness of board and audit committee oversight • Limited staff and segregation of duties 33
  • 38. Internal Control: Helping Smaller Public Companies with Certification and Disclosure about Design of Internal Control over Financial Reporting • Limited professional accounting and financial reporting expertise • Lack of formal operating, accounting and authorization policies and pro- cedures • Stage of company’s development as a business • Smaller size, less complex operations • Use of information technology systems, packages and practices. Concentration of Decision-making Power, and the Potential for Management Override A small company’s success may depend primarily on the skills of a single entrepreneur — often the founder of the business — who acts either as a sole manager or as the leader of a small management group. Typically, the sole manager or small management group takes a “hands-on” approach to manag- ing the business and tends to make most of the decisions about the company, only obtaining outside advice when necessary. In a small company, management typically has a significant influence over the company’s internal control. Since small companies don’t have the layers of management found in larger entities, the CEO’s attitude about the impor- tance of internal control is directly evident to everyone in the company. In addition, because management in smaller companies are so closely involved in the operations of the business, their knowledge and involvement can often compensate for an otherwise weak internal control system. While management’s hands-on involvement can offset a lack of segregation of duties (discussed below) and enhance internal control, it can also have a negative effect if senior managers use their authority to override established internal control policies and procedures. Management often has this author- ity, sometimes without question. Much depends on the attitude of manage- ment and the board of directors towards the importance of internal control and the control environment they foster. If the attitude is poor and the control environment is weak, it is less likely that internal control will be effective. Effectiveness of Board and Audit Committee Oversight Boards of directors and audit committees may not always be effective in pro- viding strong oversight or preventing potential management override of inter- nal control policies and procedures. This can occur when boards and audit committees are selected and appointed by the CEO, who may limit their ability to play an effective oversight role or contribute usefully to management’s assessment of business risk and strategic decision making. A more serious situation can occur where controlling shareholders, who are not part of management, seek to override controls and management deci- sions. On the other hand, boards and audit committees can play an important role in reducing control risk, for example by understanding and monitoring the “threshold” levels in the compensation plans of the members of the execu- tive team, setting expectations regarding expected behaviour and tone at the top, serving as a mentor to the management team, and fulfilling an effective oversight role. A2. Characteristics of Small Companies 34 that Affect ICFR
  • 39. Internal Control: Helping Smaller Public Companies with Certification and Disclosure about Design of Internal Control over Financial Reporting Limited Staff and Segregation of Duties In small companies, where there is often a limited number of staff, it is not uncommon to find ineffective segregation of duties. Often, just one or two employees may be responsible for all of the company’s day-to-day clerical operations and accounting routines, and ultimately for the preparation of the financial statements. A limited segregation of duties would indicate an internal control weakness, since it limits the likelihood of detecting an individual’s unintentional errors or use of erroneous information, or deliberate attempt to deceive, all of which may increase the risk of a material error in the financial statements, as well as the risk of fraud or loss of company assets. Despite this risk, small companies often conclude that it is not in the best interests of, or the expectations of, shareholders to incur the additional costs to hire the staff required to fully segregate all duties. This does not mean that effective internal controls will not exist in a small entity. On the contrary, strong supervisory controls exercised by management and more direct audit committee oversight based on personal knowledge of all aspects of the entity can acceptably reduce the risk arising from a less than optimal segregation of duties. Limited Professional Accounting and Financial Reporting Expertise In many smaller companies, management’s talents are usually strongest in areas such as exploration, operations, sales, and product development — the skills needed to drive and grow the business. Managers often lack either the necessary skills or an interest in accounting and financial reporting. This situation is compounded by the fact that many small companies do not have professionally qualified, in-house accounting staff. In some respects, this lack of accounting and financial reporting knowledge is alleviated by the use of accounting software packages that include basic input controls, such as not allowing unbalanced journal entries to be posted and automation of the bank reconciliation process. On the other hand, the lack of formal accounting training and skills may prevent the conduct of normal accounting routines such as preparation and review of account reconciliations, and limit in-house ability to prepare finan- cial statements that are in accordance with increasingly complex accounting standards. Lack of Formal Operating, Accounting and Authorization Policies and Procedures Many small companies have informal and flexible systems and authorization procedures, which suit their entrepreneurial style of operations. Day to day operating procedures and policies are not necessarily written and stated in manuals. While this might normally be viewed as an internal control weak- ness, management’s close involvement with the business and direct approval of transactions may compensate for the lack of formal systems and procedures. A2. Characteristics of Small Companies 35 that Affect ICFR
  • 40. Internal Control: Helping Smaller Public Companies with Certification and Disclosure about Design of Internal Control over Financial Reporting Stage of Company’s Development as a Business Smaller companies are often in the earlier stages of development and growth of a business, such as start-up, exploration or rapid growth. Many smaller companies may have yet to reach a level of maturity and stability associated with many larger companies. The design of ICFR has to address the risks associated with each particular stage of growth and be appropriately modified over time as the company transitions from one stage to another. For example, companies in the start-up and exploration stages typically have yet to establish the market presence or customer base to generate sustained profits and cash flows. They often lack strong accounting and financial capa- bilities, and must closely monitor and project cash flows to protect against burning through the capital provided by the owners and raised in the Ini- tial Public Offering. Their ICFR design issues relate to basic accounting, tax and cash flow management, and minimizing the potential for management override of controls by the CEO and/or controlling shareholder, who may still attempt to run the business as if it were a private company. When a company moves into a later stage or experiences rapid growth, keep- ing pace with double digit growth and struggling to supply sufficient product to keep up with customer demand are just some of the challenges faced. Such a company must address a range of business and reporting issues demanding time and money that stress their management and accounting systems. Their ICFR design issues include the need to acquire the accounting capabilities to keep pace with, and catch up to, revenue growth and acquisition programs. Because it takes significant time and resources to implement these capabil- ities — which compete with the time and resources needed to keep up with customer demand — the ICFR design solution involves, by default, leaving things as they are, or involves temporary solutions such as the introduction of “spread sheet interfaces” and/or other “workarounds.” Smaller Size, Less Complex Operations Generally, small companies have less complicated organizational structures and operating activities than larger ones. They may have only one operating location or their operations may be carried out at multiple sites within a rela- tive small geographic area. The business may have only one type of operation or product rather than many product lines. There are typically fewer suppli- ers and fewer customers with whom the company must build and maintain relationships. Planning and operating business cycles may be shorter term (though equally likely to be susceptible to seasonal swings). The work force of a small company will normally be relatively few in number, particularly if the company outsources certain operations and services. All these factors can influence the scale and quality of ICFR. Use of Information Technology Systems, Packages and Practices The availability of increasingly sophisticated technology at lower costs may actually increase the complexity of some small companies. Many smaller companies now use information systems and technologies whose capability was previously found only in larger entities. In addition, companies of all sizes are now able to use the Internet for marketing, selling and purchasing. Small companies routinely use point-of-sales systems, are beginning to make greater A2. Characteristics of Small Companies 3 that Affect ICFR
  • 41. Internal Control: Helping Smaller Public Companies with Certification and Disclosure about Design of Internal Control over Financial Reporting use of electronic cash transfers, and increasingly comprise a significant seg- ment of the e-business community. The growing use of sophisticated tech- nologies by small companies can result in more complex information systems than existed in the past, a factor which may impact on the internal control issues that smaller companies must manage. On the other hand, the use of a proprietary software package that cannot be modified may feature stronger control than one that is easily customized or altered by users. A2. Characteristics of Small Companies 3 that Affect ICFR
  • 42. A3 Appendix 3: Where to Find More Information Canadian Institute of Chartered Accountants Risk Man- agement and Governance Publications www.rmgb.ca The Control Environment Series13 • Internal Control 2006: The Next Wave of Certification — Guidance for Directors • Internal Control 2006: The Next Wave of Certification — Guidance for Management • Understanding Disclosure Controls and Procedures: Helping CEOs and CFOs Respond to the Need for Better Disclosure • CEO and CFO Certification: Improving Transparency and Accountability • Guidance on Control The CFO Series14 • How CFOs are Adapting to Today’s Realities • Financial Aspects of Governance: What Boards Should Expect from CFOs • Risk Management: What Boards Should Expect from CFOs • Strategic Planning: What Boards Should Expect from CFOs The 20 Questions Series • 20 Questions Directors Should Ask about Building a Board • 20 Questions Directors Should Ask about Codes of Conduct • 20 Questions Directors Should Ask about Director Compensation • 20 Questions Directors Should Ask about Executive Compensation • 20 Questions Directors Should Ask about Governance Assessments • 20 Questions Directors Should Ask about Internal Audit • 20 Questions Directors Should Ask about IT • 20 Questions Directors Should Ask about Management’s Discussion and Analysis • 20 Questions Directors Should Ask about Risk 2nd edition • 20 Questions Directors Should Ask about Strategy 2nd edition • 20 Questions Directors Should Ask about Their Role in Pension Governance 13 Available for free download from http://www.rmgb.ca/index.cfm/ci_id/243/la_id/1.htm 14 To order copies of CICA publications contact 416-977-0748 (Toronto) or 1-800-268-3793 (rest of Canada) or visit www.knotia.ca/store 39
  • 43. Internal Control: Helping Smaller Public Companies with Certification and Disclosure about Design of Internal Control over Financial Reporting Other CICA publications on risk, strategy and governance • Integrity in the Spotlight: Audit Committees in a High Risk World • Learning about Risk: Choices, Connections and Competencies • Management’s Discussion and Analysis — Guidance on Preparation and Disclosure • The CICA Handbook – Assurance Recommendations (Specialized Areas Section 7500) • The CICA Handbook – Exposure Draft Dec. 2006, Agreed-upon Procedures Regarding Internal Control over Financial Reporting • Risk Alert January 2007, Auditor Involvement with Management’s Internal Control Certifications (AASB) Securities Laws and Regulations — Canada www.osc.gov.on.ca/Regula- tion/Rulemaking/rrn_index.jsp • Canadian Securities Administrators (CSA) — Multilateral Instrument 52-109 Certification of Disclosure in Issuers’ Annual and Interim Filings — Multilateral Instrument 52-109CP Companion Policy — Multilateral Instrument 52-110 Audit Committees — Multilateral Instrument 52-110CP Companion Policy — National Policy 58-201 Corporate Governance Guidelines — National Instrument 58-101 Disclosure of Corporate Governance Prac- tices — National Policy 51-201 Disclosure Standards — National Instrument 51-102 Continuous Disclosure Obligations — CSA Staff Notice 52-311 Regarding Required Forms of Certificates under MI 52-109 — CSA Notice 52-313 Regarding Status of Proposed MI 52-111 and Pro- posed Amendments to MI 52-109 — CSA Staff Notice 315 Certification Compliance Review (Sept. 2006) — CSA Staff Notice 316 Certification of Design of Internal Control over Financial Reporting (Sept. 2006) — CSA Notice 317 Timing of Proposed NI 52-109 Certification of Disclo- sure in Issuers’ Annual and Interim Filings (February 2007) • Amendments to the Securities Act (Ontario) and Regulation 1015 Securities Laws and Regulations — United States • http://www.sarbanes-oxley.com/section.php?level=1&pub_id=Sarbanes- Oxley • United States Securities and Exchange Commission (SEC) www.sec.gov — Proposed Interpretive Guidance for Management on Management’s Report on ICFR, Dec. 20, 2006 40 A3. Where to Find More Information
  • 44. Internal Control: Helping Smaller Public Companies with Certification and Disclosure about Design of Internal Control over Financial Reporting Other • International Federation of Accountants — Internal Controls — A Review of Current Developments, Information Paper August 2006 — www.ifac.org • The Committee of Sponsoring Organizations of the Treadway Commis- sion (COSO), USA — Internal Control over Financial Reporting — Guidance for Smaller Pub- lic Companies, 2006 — Internal Control — Integrated Framework, 1992 — www.coso.org • Public Company Accounting Oversight Board (PCAOB, USA) Auditing Standard No. 2 PCAOB Proposed Auditing Standard — Release No. 2006- 07, December 19, 2006 • Perspectives on Internal Control Reporting — A Resource for Financial Market Participants (Deloitte & Touche LLP, Ernst & Young LLP, KPMG LLP, PricewaterhouseCoopers LLP; USA, December 2004) 41 A3. Where to Find More Information
  • 45. Authors About the Authors James L. Goodfellow, FCA, is a partner and vice chairman of Deloitte who advises boards of directors, audit committees, corporate executives and securities regulators in Canada and internationally on corporate reporting and governance related issues. He recently co-authored Integrity in the Spot- light: Audit Committees in a High Risk World. Jim Goodfellow served as research director for the Joint Committee on Cor- porate Governance. He is a past chairman of the CICA Accounting Standards Board and the CICA Canadian Performance Reporting Board and has served on the CICA’s Emerging Issues Committee. He is a frequent speaker on issues related to financial reporting, corporate governance and audit committees. He believes strongly that the external audi- tors should be accountable to the board of directors and the audit committee as representatives of the shareholders, and that this repositioning of the audi- tor/client relationship can produce significant benefits to the effectiveness of the audit. Jim Goodfellow serves on the board of directors of Deloitte and, in the past, served as the firm’s National Director of Accounting & Auditing. He is a senior partner responsible for providing services to some of his firm’s largest clients. He and Alan Willis co-authored the CICA’s September 2006 publica- tions, Internal Control 2006: The Next Wave of Certification. Alan D. Willis, CA, is an independent consultant in the fields of corporate governance, performance measurement and business reporting, with a par- ticular focus on the linkages of these topics with sustainable development and the business value of stakeholder relations. He directed the development of CICA’s guidance on MD&A preparation and disclosure and wrote the related briefing “20 Questions Directors Should Ask about Management’s Discussion and Analysis.” 43
  • 46. Internal Control: Helping Smaller Public Companies with Certification and Disclosure about Design of Internal Control over Financial Reporting Alan Willis also co-authored CICA’s publication “Learning about Risk: Choices, Connections and Competencies.” His first foray into the realm of corporate governance was writing a guidance booklet for audit commit- tees and creating a documentary film about corporate directors in 1971. He observes that both would still be remarkably relevant today. As a member of the International Corporate Governance Network, he serves on its Non-financial Business Reporting Committee. He has worked exten- sively with Canadian and international initiatives to develop performance indicators and reporting guidelines relevant to corporate management of and disclosure about climate change impacts, environmental performance and corporate social responsibility. He is currently engaged in a multi-disciplinary North American project on the design of a new corporate governance model for the 21st century. With Jim Goodfellow, he co-authored the CICA’s September 2006 publica- tions, Internal Control 2006: The Next Wave of Certification. 44 About the Authors
  • 47. INTERNAL CONTROL: THE NEXT WAVE OF CERTIFICATION Helping Smaller Public Companies with Certification and Disclosure about Design of Internal Control over Financial Reporting 277 Wellington Street West Toronto, ON Canada M5V 3H2 Tel: 416-977-0748 www.rmgb.ca