|
|
|
|
 |
|
Home |  |
Contacts | |
Editorial | |
Advertising | |
Subscribe | |
Archives | |
Search | |
CMA Canada |
|
|
|
|
Features
Table of Contents
Printer Friendly
As the deadline fast approaches for some companies to adopt the requirements of what some refer to as “Canadian SOX”, it’s worth considering how best to do so. CMA Madeleine Ferris takes a close look at CoCo and COSO in a soon-to-be released new book By Madeleine Ferris, CMA
The purpose of Multilateral Instrument 52-109 (MI 52-109) — Certification of Disclosure in Issuers’ Annual and Interim Filings is to improve the quality and reliability of reporting issuer’s annual and interim disclosures. The initial phase of the ruling required CEOs and CFOs to certify that they have designed, or supervised the design of, internal controls and disclosure controls and procedures and implemented those controls. Annually, they must evaluate the effectiveness of their internal controls and disclosure controls and procedures and present their conclusions regarding their effectiveness in the annual MD&A. They must disclose to the issuer’s audit committee and independent auditors any significant control deficiencies, material weaknesses, and acts of fraud that involve management or other employees who have a significant role in internal controls. The specific policies or procedures involved in an issuer’s internal controls or disclosure controls aren’t prescribed. There were also two other policies issued by the OSC. Multilateral Instrument 52-108 (MI52-108) — Auditor Oversight requires that their auditors be members of the Canadian Public Accountability Board’s (CPAB) Oversight Program for public accounting firms that audit the financial statements of public companies, and are in good standing with CPAB. Multilateral Instrument 52-110 (MI52-110) — Audit Committees defines the meaning of independence and the education and/or experience required of a member of the issuer’s audit committee. Some of the responsibilities of the audit committee include:
After considering the feedback received during the comment period from a wide range of stakeholders and recent developments internationally, particularly in the U.S., the OSC expanded MI 52-109 to include internal control reporting requirements. The most significant difference from U.S. law is that the issuer does not have to obtain from its external auditor an internal control audit opinion concerning management’s assessment of the effectiveness of internal control over financial reporting. What is required? There are a number of models being applied in Canadian companies to provide a standard approach to assess the effectiveness of the internal controls including:
The internal reporting requirements of MI 52-109 apply to all reporting issuers in Canada. The earliest that these requirements will apply is the financial year ending on or after December 31, 2007. CoCo control model CoCo defines control as comprising “those elements of an organization (including its resources, systems, processes, culture and tasks) that, taken together, support people in the achievement of the organization’s objectives.” The CoCo control model is based on four interrelated elements:
A person performs a task, guided by an understanding of its purpose and supported by capability (information, resources, supplies and skills). The person will need a sense of commitment to perform the task well over time. The person will monitor his or her performance and the external environment to learn how to do the task better. The same is true of any work group. In any organization, the essence of control is a combination of these four elements. Purpose: These criteria provide a sense of the organization’s direction. They address its objectives, risks and opportunities, policies, planning and performance targets and indicators. The components include: P1 Objectives, including a mission, vision and strategy, should be established, communicated and prioritized to provide direction. P2 The significant internal and external risks faced by an organization in the achievement of its objectives should be identified and assessed on an ongoing basis. P3 Policies designed to support the achievement of an organization’s objectives and the management of its risks should be established, communicated and practiced so that people understand what is expected of them and the scope of their freedom to act. P4 Plans, including strategies, action plans, and operating and financial targets, to guide efforts in achieving the organization’s objectives should be established and communicated. P5 Objectives and related plans should include measurable performance targets and indicators that provide early warning if targets have not been met. Commitment: These criteria provide a sense of the organization’s identity and address its ethics, human resource policies, authority, responsibility and accountability, and mutual trust. The components include: CO1 Shared ethical values, including integrity, should be established, communicated and practiced throughout the organization. CO2 Human resource policies and practices should be consistent with an organization’s ethics and with its objectives. CO3 Authority/responsibility and accountability should be clearly defined and consistent with an organization’s objectives so that actions are taken by the appropriate people. CO4 An atmosphere of mutual trust should be fostered to support the flow of information among people. Mutual trust supports the flow of information needed to make decisions and take action. Open communication both creates and depends on trust. Capability: These components provide a sense of the organization’s competence. They deal with knowledge, skill and tools, communication processes, information, coordination, and control activities. CA1 People should have the necessary knowledge, skills and tools to support the achievement of the organization’s objectives. CA2 Communication processes should support the organization’s values and the achievement of its objectives through open communication of timely, relevant, and reliable information. CA3 Sufficient and relevant information should be identified and communicated in a timely manner to enable people to perform their assigned responsibilities. CA4 The decisions and actions of different parts of the organization should be coordinated. CA5 Control activities should be designed as an integral part of the organization, taking into consideration its objectives, the risks to their achievement, and the inter-relatedness of control elements. Monitoring and Learning: These components entail reviewing internal and external environments, monitoring performance against targets, challenging assumptions, reassessing information needs and systems, establishing follow-up procedures and assessing the effectiveness of control. ML1 External and internal environments should be monitored to obtain information that may signal a need to re-evaluate the organization’s objectives and controls. ML2 Performance should be monitored against the targets and indicators identified in the organization’s objectives and plans. Information must be timely and reliable. ML3 The assumptions behind an organization’s objectives should be periodically challenged. ML4 Information needs and related information systems should be reassessed as objectives change and as reporting deficiencies are identified. ML5 Follow-up procedures should be established to ensure appropriate actions occur. For change to be effective, information such as the results of control assessments must be communicated to those who can authorize change. ML6 Management should periodically assess the effectiveness of control in its organization and communicate the results to those accountable. The criteria that need to be addressed include both hard and soft controls. The hard controls are more easily measured and may include organizational structure, formal processes, and policies and procedures. The soft controls include “tone at the top”, trust, shared values, and commitment. The soft controls are often based on observation because they are behavior-based intangibles. Comparison of CoCo to COSO There are three main differences between the U.S. COSO and Canadian CoCo frameworks. 1. Definition and scope COSO defines internal control as a process, effected by an organization’s directors, managers, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:
CoCo defines control as the elements of an organization (including its resources, systems, processes, culture, structure, and tasks) that, taken together, support people in the achievement of the organization’s objectives. It defines three categories of objectives:
Consistent with its definition, CoCo includes the scope of control for some particular aspects of management that COSO excludes such as objective setting, strategic planning and risk management, and corrective actions. CoCo does exclude decision making from the scope of control. 2. Underlying Concepts CoCo is explicit about some concepts that aren’t addressed in COSO. These are:
3. The Judgment of Effectiveness COSO addresses this as follows: “Internal control can be judged effective in each of the three categories, respectively, if the board of directors and management have reasonable assurance that: 1. They understand the extent to which the organization’s operations objectives are being achieved. 2. Published financial statements are being prepared reliably. 3. They are compliant with applicable laws and regulations.” Determining whether a particular internal control system is effective is a subjective judgment resulting from an assessment of whether five components (control environment, risk assessment, control activities, information and communication, and monitoring) are present and functioning effectively. Their effective functioning provides the reasonable assurance regarding the achievement of one or more of the stated categories of objectives. Thus, these components are also criteria for effective internal control. CoCo differs in three important respects: 1. The judgment of effectiveness is made in relation to a specific objective, not a category of objectives. 2. CoCo asks that an assessment of the effectiveness of control be made against 20 specific criteria. COSO asks that assessment be made for each of five components, and provides illustrative issues to consider for each component. All of COSO’s issues to consider are addressed directly or indirectly within the CoCo document, except perhaps the following:
3. CoCo defines an effective control as a control that makes an organization reliable in achieving its objectives and provides reasonable assurance that the organization will achieve its objectives. There isn’t a specific defined approach to address compliance with MI 52-109 in Canada. An organization should evaluate the various control assessment frameworks available and select one or combine the available frameworks that best meet its needs. Ultimately, the objective of Bill 198 is to ensure increased accuracy in financial reporting. In so doing, companies are able to better manage and mitigate risk within the organization, and achieve better corporate governance. Madeleine Ferris, CMA, MBA, CSOXP® Sarbanes Oxley Institute Certifications, (mgferris@shaw.ca), is a senior business professional with over 20 years experience in financial analysis and the application of IT to address common business issues. In the last 3 years, she has been the senior project manager for Sarbanes Oxley implementations through Ferris Enterprises Inc. This content is excerpted from Governance, Risk, and Compliance Handbook, (9780470095898, December 2007) with permission from the publisher, John Wiley & Sons. All rights reserved. Additional resources The Committee of Sponsoring Organizations of the
Treadway Commission The CoCo framework |
