Compliance Blog

Both Section 302 of the Sarbanes-Oxley Act (in place for the last 3 years), and the existing Canadian equivalent Multi-Lateral Instrument 52-109 (internal controls portion to begin for fiscal y/e on/after June 30, 2006, pre-March 10, 2006 proposed revision - CSA Notice 52-313), take a significant step by mandating that a CEO/CFO certify internal controls over financial reporting (ICFR) in terms of "any significant changes that have occurred", and "all significant deficiencies and material weaknesses in the design or operation of internal controls ...likely to adversely affect ... financial information", and "any fraud, whether or not material, that involves management .... who have a significant role in the registrant's internal control over financial reporting".

Wouldn't it make sense, particularly for U.S. filers, that much of the ICFR work was already done prior to Section 404 (management evaluation and auditor attestation kicking in)?

I'm not so sure. So, where am I going with this topic?

What if the ICFR portions of SOX 302 and the current (not proposed) version of MI 52-109, which are essentially self-policing, are not really getting much emphasis by the CEO and CFO? Maybe it takes external validation (the external auditor) to energize the average management team to really take a good look at ICFR. Thus, SOX 404.

Kind of like leaving your place messy until the neighbors come over for dinner.

In the SOX context, a March 2006 study by Lord & Benoit highlights (click here) that only 1 in 8 firms disclosed material weaknesses via SOX 302 disclosure and certification in the quarter prior to the disclosure of SOX 404 material weaknesses. Keep in mind that there were 613 restatements in 2004, and 1195 in 2005 according to research by Glass Lewis. Definitely a sign of internal control issues.

It seems that the quality of self-reporting is not very high unless it is backed up by the threat of some outside review.

Sad.

So, what does this mean for the future?

Three things come to mind:

1. What have Audit Committees been doing prior to SOX 404 kicking in (or the Canadian equivalent)? Has anyone been asking the CEO/CFO tough questions and asking for some evidence of real ICFR activity?
2. Expect a big increase in deficiencies/weaknesses from non-accelerated SOX filers. Their 302 reports with respect to ICFR are bound to go negative once the SOX 404 auditor attestation debate is nailed down . Honey, the neighbors are coming for dinner! And boy, are they hungry!
3. The value of MI 52-109 ICFR requirements without external auditor attestation. Canadians are nice people but no more principled than their U.S. cousins. Expect that if the CSA and regulators like the OSC did "spot audits" of ICFR that they would find the quality of work quite lacking - particularly with the smaller companies. Would investors be surprised? No, that is one of the reasons that they will place a greater risk premium on Canadian equities that are not SOX compliant.

I'm not a big fan of the "externals" and the excessiveness of many of their ICFR engagements. However, wouldn't it be nice if management and the board/audit committee got their financial houses in order without the threat of outside intervention. Oh well, I guess it is no surprise, just take a look at the next big thing on the horizon, "Executive Compensation and the Link to Company Performance". Now that is an "internal control" problem!

If you'd like to get on with strengthening your internal controls over financial reporting, either because you have to, or just because you'd like to, please go to www.issuescentral.com to learn more about the award-winning Compliance Playbook(TM). For Canadian-based companies, please go to our friends at www.compliancepartner.ca to learn about the product that is the market leader - Compliance Partner(TM).