Regulation
Creating Internal Controls
Canada's securities regulators are currently faced with establishing robust internal control requirements for public companies.
FROM:
JAN-FEB 2006 ISSUE | BY
LAWRENCE RICHTER QUINN
As Canada moves toward implementing effective internal controls over financial reporting for public companies, securities regulators have taken a close look at the compliance challenges brought about by the implementation of the
Sarbanes-Oxley Act
(SOX) in the United States. In particular, Section 404 (SOX 404) has proven to be onerous and remains an area of concern for companies in both countries.
The Canadian Securities Administrators' (CSA), other than British Columbia, proposed Multilateral Instruments 52-109
Certification of Disclosure in Issuers' Annual and Interim Filings and 52-111
Reporting on Internal Control over Financial Reporting, aim to establish approaches to compliance that are tailored to, and appropriate for, the Canadian market. The introduction of internal control reports was to be phased in starting with financial years ended on or after
June 30, 2006; however, that deadline has now been extended by one year.
Meanwhile, CGAs working for Canadian companies trading on the New York Stock Exchange and registered with the Securities and Exchange Commission (SEC) have had no choice but to familiarize themselves with SOX 404 as they file related paperwork in Washington. "I think it's a challenge for all accountants to get up to speed because the regulations are so new," says Bryan Hills, CGA, vice-president of risk management and controls at Cygnal Technologies Corp. in Markham, Ontario. "But it's important for CGAs working with public companies to really understand these regulations and the CFO/CEO certification rules."
Cygnal has "been very proactive," working on two projects simultaneously, says Hills, whose job was created about a year ago. Before then, he was Cygnal's vice president of finance. One project is to meet the requirements on disclosure controls laid out in Multilateral Instrument 52-109; the other to ready the company for 52-111. Hills' advice to those tasked with working on meeting disclosure requirements and establishing internal controls? "Make sure you have enough time to work on this, that you have enough support from the top, the board, CEO, and CFO." Hills updates his audit committee once a quarter. "They're all very supportive of these initiatives."
Avoiding America's SOX Pitfalls
Many public company executives say they're in favour of regulating the internal control process. "I do believe it will increase the quality, reliability, and discipline of the financial reporting process. We're talking about improving the culture of internal control and enhancing the reputation of the Canadian markets, and both of those are extremely important," says Hills.
Nevertheless, some executives are worried that what Canada ends up with will be little more than a copy of SOX 404 on internal controls. Many corporate finance executives say that, in their rush to comply with 404, U.S. companies have gone overboard and done a poor job as a result. Bottom line: SOX 404
as is is cumbersome, unwieldy, and expensive to put in place.
"The way many U.S. companies have executed SOX 404 has been an absolute fiasco," says Peter Welch, president of SoxInternational Inc., a consulting firm in Washington, D.C. "Many of the mistakes could easily have been avoided; unfortunately, the legal ramifications of misstating the adequacy of your internal controls are so severe that everyone went out of their way, checking and double-checking every control. It has been extraordinarily wasteful. Now, fortunately, Canadians can learn from those mistakes and do it well right out of the box."
Trudy Curran, general counsel and corporate secretary at Canadian Oil Sands Trust in Calgary, says she's in favour of a more
principles-based approach to regulation of the internal controls process — that is, regulation that doesn't discuss every circumstance or scenario that a company might face. Rather, the intent of the regulation should be the heart of it — without a lot of specific rules and requirements attached. "With SOX there's a large cost arising from dotting all the 'i's and crossing all the 't's. It's not relevant to do that and you're not getting a better product."
Others agree. "I think there's a definite benefit in developing good internal controls to increase the reliability of published financial statements and increase shareholder confidence," says Robert McColm, CGA, director of internal controls at the Aecon Group Inc. in Toronto, Canada's largest publicly-traded construction and infrastructure development company. "Currently the Canadian regulation parallels SOX, but the important thing here is that we have the time to get this right."
In fact, the CSA has been careful to incorporate the views of financial executives; last May, it actively solicited feedback to its proposed 52-111. The upshot: In late July the group extended the deadline for compliance to kick in on or after June 30, 2007, a full year's extension from what was originally proposed.
Meanwhile, in the U.S., recent "clarifications" on SOX 404 appear to be anything but. On one hand, the SEC has said that external auditors don't have to be as demanding with every control checked and tested. On the other hand, the Public Company Accounting Oversight Board (PCAOB) appears to disagree — saying that external auditors can be less onerous,
but...
"A crude synthesis might be that the SEC is saying that external auditors should be more reasonable [about their demands of clients in the controls arena], but the PCAOB is saying, 'OK, but you still have to follow all our rules' — which aren't especially reasonable," explains Tim Leech, principal consultant and chief methodology officer at Paisley Consulting, a firm that specializes in operational risk management, SOX and other compliance issues, in Mississauga.
Problems with SOX 404
Consultants like Leech, who is co-authoring a new book about SOX and its problems called
Sarbanes-Oxley: A Practical Guide to Implementation Challenges and Global Response, say accountants should familiarize themselves with what went wrong with 404's implementation, and should think about implementing
52-111 in conjunction with the development of an overall enterprise risk management endeavor.
Indeed, a growing number of Canadian companies are using the "top-down" models of the Committee of Sponsoring Organizations (COSO). Both Aecon Group's McColm and Cygnal Technologies' Hills are working with COSO'92, a financial control model adaptable for ERM-related purposes; both are aware of the newer model, COSO ERM, released in the past 18 months, and will be reviewing it.
Fortunately for Canadian companies, almost all the mistakes made by U.S. companies can be avoided. What are those problems?
-
Continued control overkill.
U.S. companies have bent over backward to put in place and test controls for almost everything imaginable, no matter how insignificant that control may be. "U.S. companies have been out there with blinders on trying to follow the letter of the law rather than its spirit simply to avoid legal problems or getting it wrong," says SoxInternational's Welch.
-
Too often, U.S. companies let outside consultants design their SOX 404 responses without sufficient input from full-time financial executives at the company.
"A lot of U.S. companies didn't know how to do this and just rushed out and got external firms to do it," says John Fraser, CA, chief risk officer at Hydro One in Toronto. "The fallout is that line management took no ownership of the program and internal audit wasn't doing any internal audit work when examining the external work, checking that the flow charts and evaluations were done properly."
Thomas C. Jones, CPA, an Andover, Mass.-based SOX consultant who has worked with the Canadian affiliates of U.S. companies, says that American firms "hired people to do the implementation for them that didn't have experience in financial reporting risk."
-
American companies often didn't put together their 404 responses with larger risk management issues in mind — and unlike Canada, often did not employ a broad enterprise risk management program.
Canadian executives like McColm and Hills talk about the need for a
"top-down" approach to enterprise risk and implementing financial controls. "I'd like to see more of a risk-based, top-down approach — in plain terms focusing more on high-profile risks. In the U.S. companies were required to drill down into so much detail in a short period but we're focusing on the tone at the top," says McColm.
-
U.S. companies continue to focus on 404 as a regulatory and compliance concern foisted on them by Washington as opposed to an opportunity to build shareholder confidence and value.
"They look at it that way and then establish a task force, taking a check-list approach to compliance," says James Lam, author of Enterprise Risk Management: From Incentives to Controls, and president and CEO of James Lam & Associates in Wellesley, Mass., an enterprise risk management consulting firm. "They don't look at it as part of ERM and as a result don't see the forest for the trees.
"Some accountants have taken a leadership role in this but it needs to be coordinated with operational risk and audit people," Lam continues. "Otherwise there are a lot of redundancies, it's pretty wasteful. You should establish an automated, repeatable process rather than outsourcing it. It is part of an overall risk management process where you take compliance costs and turn them into business benefits."
-
The culture of internal controls hasn't changed at U.S. companies so that all those involved take ownership.
An orientation toward risk and reward — and a willingness to take an interest in the control process — hasn't seeped into corporate America. The tendency is to "look at everything but ignore all the risk perspectives," says SoxInternational's Welch. "If you look at the internal flows — a supply chain or process flow — regardless of where it's taking place, every person functioning in that business unit ought to know where the data comes from. And they have to know what happens to that data within the organization.
"That's important because some employees are disinterested or lack knowledge about where those numbers come from; but if you don't care then you can't verify the number," says Welch.
-
IT systems remain woefully inadequate.
"Only a relatively tiny percentage of publicly-listed companies prior to SOX had invested in IT systems to facilitate ongoing cost-effective assessment and monitoring of risk management and internal control systems," Leech says in his upcoming book. "Very few if any of the systems that do exist monitor and report on the error rate being produced by the system — that is, the number and magnitude of accounting errors detected by management and internal and external auditors. Informal polls indicate only a tiny fraction of companies have systematically tracked the frequency and magnitude of accounting errors discovered by external auditors during their audit work that resulted in forced adjustments to the accounts. These known errors can provide an excellent starting point to identifying systems that currently lack strong controls."
Work Remains to be Done
All of these problems suggest that the CSA was well-advised to put off initial implementation dates for a year. Forward-thinking CGAs like McColm are pushing ahead regardless. Working with PricewaterhouseCoopers, earlier this year McColm started a pilot program for 52-111 with one of its business units; implementing COSO ERM remains a work in progress. In the end, upgrading the company's financial reporting processes is not only a lesson in compliance, but an opportunity for operational excellence, he concludes.
[
TOP ]
Lawrence Richter Quinn is president of Quinn Risk Management Media. He is currently working on several stories about Canadian corporate ERM endeavors and welcomes input at
lawrencerichterquinn@hotmail.com.