October 31, 2007
Canadian Public Companies Need to Focus on Internal Controls
While many Canadian companies are working hard on their NI 52-109 projects, there are many who have not put the consistent effort into providing investors that they have reasonable assurance over their Internal Control over Financial Reporting. This is especially disconcerting since the legislation has been proposed and/or in place for many years now.
Of special concern is the Venture Exchange where the resources to comply with this complex legislation are just not available. Many of these companies are in natural resources: mining and natural gas. This represents approximately 1600 companies or (of the approximately 3800 public companies) 42% of companies listed on Canadian exchanges.
Next year is an extremely crucial year in the progress of the requirements of this legislation. It is the year where public companies must certify the effectiveness of their internal control over financial reporting. In other words, they must certify that their controls "work as advertised".
Many companies have struggled with the first phase of this legislation: "Design and Implement Internal Controls over Financial Reporting". It will be interesting to see what happens when the really tough stage begins.
A recent article discusses some of these challenges:
Excerpts from the complete article from the National Post:
"Canadian corporate disclosure about internal controls is also inconsistent and regulation here "severely lags" behind the United States, despite a slew of new rules designed to improve reporting, say the authors of the study...
Only 46% of TSX-listed companies surveyed said their internal controls were effective. Among Venture Exchange companies, the figure plummets to 13%. Internal controls are the checks and measures companies have in place to prevent fraud and to make sure the financial information they generate is accurate."
There is much work to be done. Investors will be closely watching the results.
If your company has to comply with SOX 404 or NI 52-109, and wants to do it in a sensible and cost effective way, contact http://www.issuescentral.com/ for more information on Compliance Playbook® for companies based outside of Canada. For Canadian based companies, see http://www.compliancepartner.ca/ for more information on Compliance Partner™ from Thomson Carswell.
Of special concern is the Venture Exchange where the resources to comply with this complex legislation are just not available. Many of these companies are in natural resources: mining and natural gas. This represents approximately 1600 companies or (of the approximately 3800 public companies) 42% of companies listed on Canadian exchanges.
Next year is an extremely crucial year in the progress of the requirements of this legislation. It is the year where public companies must certify the effectiveness of their internal control over financial reporting. In other words, they must certify that their controls "work as advertised".
Many companies have struggled with the first phase of this legislation: "Design and Implement Internal Controls over Financial Reporting". It will be interesting to see what happens when the really tough stage begins.
A recent article discusses some of these challenges:
Excerpts from the complete article from the National Post:
"Canadian corporate disclosure about internal controls is also inconsistent and regulation here "severely lags" behind the United States, despite a slew of new rules designed to improve reporting, say the authors of the study...
Only 46% of TSX-listed companies surveyed said their internal controls were effective. Among Venture Exchange companies, the figure plummets to 13%. Internal controls are the checks and measures companies have in place to prevent fraud and to make sure the financial information they generate is accurate."
There is much work to be done. Investors will be closely watching the results.
If your company has to comply with SOX 404 or NI 52-109, and wants to do it in a sensible and cost effective way, contact http://www.issuescentral.com/ for more information on Compliance Playbook® for companies based outside of Canada. For Canadian based companies, see http://www.compliancepartner.ca/ for more information on Compliance Partner™ from Thomson Carswell.
October 12, 2007
Smaller Companies Should Focus on Key Areas for AS#5 Reviews
In our work with small to mid-sized SOX 404 filers, we have long proposed that a risk based approach to scoping and planning projects is key. In the "Dark Ages" of SOX 404 (2002-2005) many external auditors were recommending form over substance and requiring clients to document everything that moved in a company.
Whew! Enter Audit Standard #5. This new shorter and more risk based approach that will be in place for auditors to use to do their attestation for registrants' ICFR directs auditors to review high risk processes and how projects are scoped.
We have long directed smaller clients to do proper scoping with a top down risk based approach. Further, Entity level controls have been a focus for smaller companies to "hang their hats" on. Additionally, in our informal surveys of clients, we have found that the most important process in this endeavor is the financia reporting process. This process is the least documented, the most supported by spreadsheets and the most rushed and therefore subject to error.
Here is an exceprt from an article from Metropolitan Corporate Counsel concerning some key areas for registrants to focus on:
"Conceptually, the financial reporting process is a broad category encompassing such sub-processes as the financial close process; significant estimates; footnotes and disclosures; equity; and intercompany and related party transactions, among others. Management can better focus on high-risk areas by beginning with the financial reporting process and documenting the risks and related controls in place. For example, documenting and testing controls over significant estimates will most certainly overlap other processes - such as Revenue and Accounts Receivable - and it will bring the areas of highest concern and complexity to the forefront of management's assessment process.
A critical mistake many organizations made in the past was in applying a "blanket" approach. Documentation was created and testing of controls was executed at the same level of detail for each process regardless of the comparable risk level. Using this approach, a process involving routine transactions such as payroll, e.g., might receive the same level of time, effort and focus in creating evidential matter as the process relating to significant estimates in financial reporting...
AS5 indicates that certain entity-level controls might be at the right level of precision to adequately prevent or detect a material misstatement of the financial statements. For example, executive management might conduct an analytical review of the monthly financials. Typically, the issue from a SOX 404 perspective is that the review (i) might not occur at an appropriate level of detail, (ii) lacks documentation of anomalies and unexpected results and (iii) the investigation and resolution is conducted through verbal communication.
Management should focus on improving entity-level controls, including increasing their precision level. Management should also emphasize maintaining proper documentation in evidencing such controls to reduce additional work at the process level in documenting and testing the controls to mitigate the risk. Management should voice its plans to increase the precision level and operation evidence of entity-level controls in the first discussion with the external auditor. This allows the auditor to give management feedback on how the evidential matter on the effectiveness of entity-level controls may impact the auditor's assessment process."
If your company has to comply with SOX 404 or NI 52-109, and wants to do it in a sensible and cost effective way, contact http://www.issuescentral.com/ for more information on Compliance Playbook® for companies based outside of Canada. For Canadian based companies, see http://www.compliancepartner.ca/ for more information on Compliance Partner™ from Thomson Carswell.
Whew! Enter Audit Standard #5. This new shorter and more risk based approach that will be in place for auditors to use to do their attestation for registrants' ICFR directs auditors to review high risk processes and how projects are scoped.
We have long directed smaller clients to do proper scoping with a top down risk based approach. Further, Entity level controls have been a focus for smaller companies to "hang their hats" on. Additionally, in our informal surveys of clients, we have found that the most important process in this endeavor is the financia reporting process. This process is the least documented, the most supported by spreadsheets and the most rushed and therefore subject to error.
Here is an exceprt from an article from Metropolitan Corporate Counsel concerning some key areas for registrants to focus on:
"Conceptually, the financial reporting process is a broad category encompassing such sub-processes as the financial close process; significant estimates; footnotes and disclosures; equity; and intercompany and related party transactions, among others. Management can better focus on high-risk areas by beginning with the financial reporting process and documenting the risks and related controls in place. For example, documenting and testing controls over significant estimates will most certainly overlap other processes - such as Revenue and Accounts Receivable - and it will bring the areas of highest concern and complexity to the forefront of management's assessment process.
A critical mistake many organizations made in the past was in applying a "blanket" approach. Documentation was created and testing of controls was executed at the same level of detail for each process regardless of the comparable risk level. Using this approach, a process involving routine transactions such as payroll, e.g., might receive the same level of time, effort and focus in creating evidential matter as the process relating to significant estimates in financial reporting...
AS5 indicates that certain entity-level controls might be at the right level of precision to adequately prevent or detect a material misstatement of the financial statements. For example, executive management might conduct an analytical review of the monthly financials. Typically, the issue from a SOX 404 perspective is that the review (i) might not occur at an appropriate level of detail, (ii) lacks documentation of anomalies and unexpected results and (iii) the investigation and resolution is conducted through verbal communication.
Management should focus on improving entity-level controls, including increasing their precision level. Management should also emphasize maintaining proper documentation in evidencing such controls to reduce additional work at the process level in documenting and testing the controls to mitigate the risk. Management should voice its plans to increase the precision level and operation evidence of entity-level controls in the first discussion with the external auditor. This allows the auditor to give management feedback on how the evidential matter on the effectiveness of entity-level controls may impact the auditor's assessment process."
If your company has to comply with SOX 404 or NI 52-109, and wants to do it in a sensible and cost effective way, contact http://www.issuescentral.com/ for more information on Compliance Playbook® for companies based outside of Canada. For Canadian based companies, see http://www.compliancepartner.ca/ for more information on Compliance Partner™ from Thomson Carswell.
