SOX 404: US Non-Accelerated Filers – Are You Ready for Certification?

April 2008 and written by Geoff Rodrigues, CA, ORMP of Horwath Orenstein - On July 30, 2002, the Sarbanes-Oxley Act became law for all companies listed in the United States, including those foreign companies that have listings on United States exchanges. Section 404 of the Sarbanes-Oxley Act set out requirements for both management of these public companies as well as the external auditors to separately and independently evaluate the company’s internal controls over financial reporting. Section 404 has two provisions: 404 (a) requires management to assess the effectiveness of the company’s internal controls over financial reporting, while 404 (b) requires a separate auditor attestation of the company’s internal controls. Accelerated filers (i.e. companies with market capitalization over $75 million) have been subject to both provisions since 2004. Non-accelerated filers (i.e. companies with market capitalization less than $75 million) are now gearing up to make their first certification, as management must perform their assessment for their first year ending after December 15, 2007, with the external auditors performing their assessment likely after December 15, 2009 (this date is still under review).

What Does this All Mean?

What this means is that management, should already be looking at evaluating not only the design of their internal controls over financial reporting, but also the operating effectiveness before year end. Section 404 says management has to certify that as at year-end the internal controls over financial reporting are effective in mitigating those risks that could prevent the financial statements from being materially accurate. The United States Securities and Exchange Commission were very clear in their release 33-8183, “Strengthening the Commission’s Requirements Regarding Auditor Independence”, stating, “…..we believe that designing and implementing internal accounting and risk management controls impairs the accountant’s independence because it places the accountant in the role of management.” A large part of evaluating the internal controls is making design changes to identified weaknesses. Therefore, it is pretty clear that the independent auditors cannot effectively assist management with their assessment without impairing their independence. Also, the auditors are expected to perform their own assessment of the internal controls. So how could they be able to independently assess and conclude on internal controls that they have already assessed on behalf of management, and presumably participated in making design changes based on that assessment. With all that being said, what is management to do?

Tips to Management on Performing their Assessment

Our role as consultants to companies going through the process is to provide guidance and assistance to them on applying a systematic process to document and evaluate their internal controls over financial reporting to allow management to conclude on their effectiveness. Below we have summarized our thoughts on how to efficiently and effectively implement a sustainable certification effort:

Overall Plan – Probably the most important piece of the entire effort is to plan. If you fail to plan, then plan to fail! Within the plan companies should begin by starting at the top. Management should look at the financial statements and assess what are the areas where material errors are likely to occur. This is achieved by considering several factors such as defining a materiality threshold to identify from a quantitative prospective what are the financial statement accounts that if misstated by that threshold, would likely affect the decisions of users of the financial statements. After performing the quantitative assessment, management should also perform a qualitative assessment on those same financial statement accounts by looking at inherent items such as complexity of transactions, history of errors, transaction volume, subjectivity to judgment, etc. After performing both the quantitative and qualitative assessment, management should be in a position to identify which financial statement areas to focus attention. Other objectives of the plan are to develop a steering committee, develop milestones for performance of key phases, establish a document repository and identify a pilot process for evaluation.

Entity Level Controls – Based on guidance set out by the Public Company Accounting Oversight Board in Audit Standard 5, the assessment should be top-down focusing more attention on the entity level controls due to their pervasive nature and impact. The intention is that with a strong control framework at the entity level, the likelihood of material errors occurring at the transaction level is reduced. Some of the areas to look at within the entity level are control environment, disclosure controls and procedures, estimates and judgments, period end reporting, and susceptibility to fraud.

Conduct Pilot – The purpose of conducting a pilot is to test the state of a single process or location, at the transaction level, to provide an indication of the state of all the key transaction level controls. This will provide management with a sample based on time spent that can be extrapolated to determine the amount of work required to complete certification. Management can use those results to refine the budget, resources, timetable and plan.

Project Roll-Out – This is the phase where the internal controls at the process level (identified in the planning phase) are evaluated. This is done by documenting the controls using process maps, risk/control matrices, and/or process narratives. Once documented the controls are evaluated for effective design by ensuring controls are in place to mitigate all critical risks identified for each process. Once management concludes the design is effective, the controls are tested to ensure they are operating effectively.

Monitoring – The final phase representing the testing of the operating effectiveness of the internal controls over financial reporting. In this phase, samples are selected for all key controls identified in the previous phase and test plans and procedures are developed. The test procedures are executed and results are extrapolated to represent the entire population of transactions for each material process.

Note: Remediation and implementation of new or modified controls can occur both at the design evaluation and operating effectiveness stage. Much of the work planned in the project rollout and monitoring phases is based on the results of the entity level evaluation and to what extent management can rely on the strength of the entity level controls. An important hazard to watch out for is scope creep, so make sure you keep to the plan.

I’m going to conclude this article with 10 of the most commonly pitfalls we’ve encountered companies experience when conducting their own internal control evaluation (whether it’s SOX 404 or Bill 198/MI-52-109):

1. Management is trying to evaluate a function versus a process – the “Silo” mentality
2. Not enough communication between management and internal audit. Internal audit is independent of management and usually performs the evaluation once the controls are documented by management.
3. Lack of top-down risk-based approach – too much focus at the transaction level
4. Lack of competent internal resources – organizations tend to bring in employees from finance to perform the work, but management must carefully oversee their work as not all finance personnel have experience in internal control
5. Insufficient testing of automated controls – too much focus on manual controls
6. Lack of timely implementation of guidance – piecemeal application of standards
7. Treatment of compliance as project management versus process management – the framework developed must be sustainable
8. Insufficient knowledge transfer from process owners to key personnel
9. Lack of differentiation between key and non-key controls and streamlining of processes
10. No initiative to introduce operational efficiencies based on compliance activities

The most important thing to remember is that internal control evaluation should extend beyond regulatory compliance and should add value where possible. So when management is going through the process, it is important to make the number of controls scaleable to the size of the organization with the focus remaining on what will materially effect the financial statements and users’ decisions. Remember, one size does not fit all!

As your company nears year-end, the most important question you can be asking yourself is, are you ready for certification?

ISO 31000 Risk Management – Principles and Guidelines on Implementation

January 2008 and written by Geoff Rodrigues, CA, ORMP of Horwath Orenstein - Risk management is defined as a systematic and disciplined approach for assessing the likelihood and impact of potential events occurring that could impede an organization from achieving its corporate objectives, and ensuring measures are in place to prevent those events from occurring.

The International Organization for Standardization (ISO) is in the process of developing a standard expected to become effective in 2009 that sets out guidelines for companies on implementation of risk management practices in their organization. This ISO 31000 is intended to apply to organizations of all sizes.

The fundamental principle in ISO 31000 is “Framework Design, Implementation, Monitoring and Review, and Continual Improvement of Framework”. This sounds very similar to the Committee of Sponsoring Organizations of the Treadway Commission’s (COSO) Enterprise Risk Management (ERM) Model of “Internal Environment, Objective Setting, Event Identification, Risk Assessment, Risk Response, Control Activities, Information & Communication, and Monitoring”. Below are the definitions of the fundamental principles:

Framework design – a systematic process developed to determine what the corporate objectives of the organization are and gathering information to identify and assess risk and the likelihood of events occurring that would prevent the objectives from being achieved. The COSO equivalent is “objective setting, event identification, and risk assessment”.

Implementation – the method by which management develops a response to deal with the “critical” risks identified, based on probability and impact, and the measures put in place to mitigate those risks. The COSO equivalent is “risk response, and control activities”.

Monitoring and review – a system in place to periodically perform test procedures to ensure the framework is operating as designed. This function is typically performed by a party independent of those who perform the activities, such as the Internal Audit department. The COSO equivalent is “Information and Communication, and Monitoring”.

Continual Improvement – a component of the monitoring and review phase, whereby changes are made to the risk management framework to align with changes in the industry or organization, resulting in improvements in the way management activities are performed. This is the only piece missing from COSO’s ERM model, however it is generally understood that risk management is a continuous process that evolves and adapts with the organization and must be continuously reviewed and adjusted accordingly.

ISO 31000 does not require certification but is intended to provide principles and guidelines on implementation of risk management.

Some of the key components in ISO 31000, which are consistent with other standards such as COSO, are:

• While risk usually implies a negative outcome, it can also identify opportunity for positive outcomes, such as reacting to changes in the economy earlier than the competition, or anticipating changes in supply chains or customer demand, etc.
• Risk management should be integrated with the ongoing operations and not be treated separately. It should be aligned with the overall decision making process of the organization
• Risk is unique to each organization, and therefore each companies’ risk management framework should be customized to match their specific objectives, strategies, risk tolerance, and methods of operating
• Risk management frameworks should focus on enterprise wide policies and practices, and not be segregated among divisions and business units
• Individuals’ own accountability and performance evaluation criteria should be aligned with their roles and responsibilities within the framework
• Risk management should “create value” for the organization and therefore the resources invested in developing and maintaining the framework should be outweighed by the degree of achievement of the corporate objectives by virtue of increased profits, reduced costs, increased market share, increases in value creation, etc.
• A consistent set of terminology should be developed such as risk, event, control, risk tolerance, residual risk, etc.

While ISO 31000 does not appear to introduce concepts that are new or unique, its’ appeal is that it suggests a harmonized standard that organizations of all sizes across the world can look to for principles and guidelines on implementing a risk management framework. This will become even more important once the move towards a harmonized set of International Financial Reporting Standards (IFRS) for organizations across the world has been completed.

How to develop a Corporate Governance process

January 2008 and written by Geoff Rodrigues, CA, ORMP of Horwath Orenstein - Many companies understand that having a robust corporate governance process will make it easier for them to identify operational risks and anticipate barriers to reaching organizational goals. They are less sure, however, of how to develop such a process. Here are some recommendations to keep in mind:

Establish a conceptual framework

The best starting point for a comprehensive corporate governance process involves developing a conceptual framework that will identify the full range of risks within the organization. If a company has an immediate issue in a specific area – such as Human Resources – it can address it immediately. But before devoting too many resources – people, capital or technology – to any particular area, the company should develop an overview that highlights the most significant risks and allocates resources accordingly. This process, which requires a team effort, will provide the added benefit of rallying the workforce around a common goal.

Communicate throughout the organization using consistent terminology

It is important to facilitate communication horizontally across functions, divisions and business units, as well as vertically among management levels. When communication is ineffective and roles are unclear, the risk management framework is either not sustainable or is inefficient. A sample inefficiency as a result of lack of communication is duplication of tasks and efforts. Also to ensure appropriate Disclosure Controls and Procedures are being followed, a common language is important for communicating consistently to both internal and external audiences to ensure the same message is delivered, thereby preventing misinterpretation of information.

Adopt a process view

It’s important to avoid thinking in narrow, departmental or functional silos. Let’s take Customer Relations Management as an example. Employees involved in back-office functions like production or billing may not see how their work touches the customer and may ignore monitoring. In other departments, there may be overzealous monitoring, with excessive customer surveying. It’s important to appoint an overall process owner to accept responsibility for managing risks of a given process and to create a balanced monitoring effort.

Balance control with empowerment

Regardless of the framework developed, managers and employees must believe they can contribute to managing risk rather than merely feeling inhibited by additional rules and structures. Therefore, in order to have buy-in from all the ranks, appoint managers and employees with responsibilities and empower them to make decisions. There must also be a clear understanding though that with responsibility comes accountability.

Move to Operational Risk Management

Operational Risk Management (ORM) is a key strategy for improving the quality and relevance of information reaching executive decision-makers, thereby leading to improved corporate governance and company performance. In addition, a more integrated approach to risk management will allow companies to anticipate unexpected events early, deploy resources to address the most critical risks and manage those risks effectively. While Enterprise Risk Management (ERM) deals with setting the organizational strategies and practices to be followed, ORM systematizes them and puts risk on everyone’s’ desk. ORM deals with the activities and measures in place for every employee to ensure that corporate objectives are being achieved. This is achieved by aligning the people, processes, and systems towards a common goal and taking a holistic view of the organization. It deals with linking the activities of personnel to the strategies set by senior management.

The effort to combine governance, risk, and compliance into a single software platform marches on

January 1, 2008 from CFO Magazine - “Companies have spent substantial sums attempting to cope with the many burdens of Sarbanes-Oxley. Spending on Sarbox peaked in 2006, with publicly traded companies forking out about $2 billion on technology and consulting to help them assess internal controls and material weaknesses. With much of the Section 404 scut work now automated, customers want to leverage that initial investment and create a foundation for future compliance needs…

Vendors like BWise, Qumas, 80-20, OpenPages, and Paisley have created impressive GRC platforms — that is, portals where managers can access and monitor information about governance, risk, and compliance. The problem, say analysts, is that no software publisher covers all the GRC bases.”

180 View – The article predicts that “GRC will be as common a business term as ERP”. We think that ERP will be extended to include GRC just as ERP has been extended to include CRM, BI and CPM.

Business Process Outsourcing and its Underlying Risks

January 2008 and written by Al Title of Horwath Orenstein – “Hope is not a method. Without a risk management program that identifies, reports and mitigates principal business risks using a systematic and disciplined approach, your organization will be spending most of its time with crisis management instead of being focused on achieving its business objectives.

Recently Al Title, a partner in Horwath Orenstein’s Risk Management Group, led a discussion on Business Process Outsourcing (BPO) and its underlying risks at York University’s Schulich School of Business Masters Program for Operational Risk Management.

The highlights of the discussion were the following:

1. Good business theory suggests that most activities that are not part of an organization’s core competency should be outsourced.
2. Presently, there is a tidal wave of outsourcing activity worldwide resulting from a lack of resources, a global economy and the need to remain competitive by focusing on core competencies.
3. The key to successful BPO is ensuring that there is a clear understanding by your organization and the service provider as to where they fit into the value chain of interdependencies and alignment with your business objectives
4. Once you understand your principal business risks, you realize they are the same or similar whether they are outsourced or internal. The difference is that you have to manage these risks with a different style and process while operating in an outsource environment.
5. The benefits of BPO include a) Drives an organization towards achieving its objectives; b)Improves ability to enter new markets; c) Improves resiliency; d) Improves the ability to adapt and innovate; e) Improves the ability to expand production and market share
6. A risk matrix framework is recommended to identify all the risks. The matrix should include the following components based upon people, process, systems and external factors: a) Strategic; b) Selection; c) Implementation d) On- going management; e) Contingency planning

If you would like to discuss any of these highlights, other risk management issues or obtain a copy of the presentation please contact Al Title at 416-260-3513 or email atitle@hto.com.

Certification Requirements for Certifying Officers of TSX Listed Companies – Where We Are Today

December 2007 written by Geoff Rodrigues of Horwath Orenstein – “On November 23, 2007 through CSA Notice 52-319, the Canadian Securities Administrators (CSA) announced an update to the regulatory regime to require companies to certify the design and effectiveness of internal controls over financial reporting. Under the current proposed requirements, companies must have a process in place to design and evaluate their internal controls over financial reporting as well as disclosure controls and procedures. This would include testing the critical controls to ensure they are operating effectively. These controls must also be relied upon by the Certifying Officers of the organization (i.e. CEO and CFO) when certifying the reliability and accuracy of all financial information reported to external users. Through the testing required, the Certifying Officers must ensure any “reportable deficiencies” identified have been disclosed as well as the status of remediation efforts. Reportable deficiencies are deficiencies identified in internal controls either individually or in aggregate that would cause a reasonable person to doubt the reliability of the financial information reported.

One of the most significant differences from the regulatory requirements under section 404 of the Sarbanes Oxley Act of 2002, is the requirement for external auditor attestation in the United States. In Canada, the certification is a self-assessment and the issuer is not required to obtain from its auditor an internal control audit opinion regarding management’s assessment of the internal controls over financial reporting. The perception in the market is that this makes the process less onerous for management and keeps the compliance costs lower than in the United States.

However, there is still a requirement for management to self –assess their internal controls over financial reporting, and without the requirement to have these assessments evaluated by the external auditor, this puts more focus on management’s efforts to ensure the company has adequate internal controls. The Certifying Officers have a responsibility to the organization in which they oversee as well as the external shareholders to ensure that information reported is reasonably reliable, accurate, and timely. It is important to understand your regulatory requirements and ensure compliance with the appropriate laws and regulations.

Some of the highlights of CSA Notice 52-319 are:

• The Certifying Officers of Venture issuers will no longer be required to certify that they have designed and evaluated the effectiveness of their internal controls over financial reporting
• All other reporting issuers, except investment funds, are still expected to certify over the effectiveness of the internal controls over financial reporting, but the effective date is no longer June 30, 2008. At this point a new effective date has not been released by the CSA.

For further details on the recently released CSA Notice 52-319 or an interpretation of what this means for your organization, click here.

The corporate governance landscape in Canada

2007 from Deloitte – “The corporate governance revolution began in the United States with one piece of legislation — the Sarbanes-Oxley Act of 2002. Canadian regulatory reforms have been introduced in a piecemeal fashion through separate instruments and legislation, issued at different times, and by different regulatory or legislative bodies…

CEOs and CFOs must personally certify that they have designed and overseen appropriate disclosure controls and procedures (DC&P); for 2006 annual certificates, they will also have to certify as to the design of internal controls over financial reporting (ICFR).”

180 View – There are some major compliance differences between the US and Canada. In the US, an independent auditor must attest to the effectiveness of the internal controls. This one sentence has huge implications. Testing can take more time than evaluating the design of the control. As well, the US does not allow the external auditor to do the compliance work as they are not deemed independent.

Governance, risk management and compliance and what it means to you

July 5, 2007 from Network World – “Get ready for a new buzz phrase to descend upon the IT department: “governance, risk management and compliance,” or GRC. You’re probably already familiar with compliance, especially if your company has to comply with regulations such as Sarbanes-Oxley, HIPAA, GLBA or any number of other government or industry regulations. Now it’s time to understand your role in corporate governance and risk management.

Looking at your company as a whole, there are people at the top who are trusted with running the company in an ethical way, making sure that the company establishes appropriate objectives and shows measured achievements toward those objectives. This is governance. Up until the days of Enron, WorldCom, et. al., governance took place quietly in the background. Now it has been thrust into the spotlight, and it is much more closely tied to risk management and compliance.

Risk management is the practice of identifying, measuring, reporting on and appropriately managing the risks that could impact the company’s governance objectives. For example, risk managers look for competitive threats, political situations and new government regulations that could impact the business. They study the known risks and come up with ways to mitigate them.

180 View – GRC has been around for years but seems to be taking off as the compliance component of Sarbanes-Oxley (SOX) work diminishes. For a more detailed explanation of GRC, click here for a whitepaper from the Compliance Consortium published May 16, 2005.

What to do about Sarbox auditing?

July 25, 2007 from IT Business Edge – “A report from AMR Research indicates that Sarbanes-Oxley compliance spending will reach $32 billion next year — the majority of which is allocated to outside consultants. AMR vice president John Hagerty notes, “If there’s a clear winner here, it’s the auditors themselves.”

And though one might think that competition between firms for big Sarbox audit contracts would be fierce, Sarbanes-Oxley prevents audit firms from performing internal compliance consulting for the companies they audit. As such, those companies often hire one firm for consulting and another to do the audit.”

180 View – This is not what’s happening in Canada where the external auditor is not prevented from reviewing controls based on Canadian Securities Administrators (CSA) guidelines.

Proposed Replacement of Instrument Relating to Internal Control Reporting and Certification Requirements

On March 30, 2007, the Canadian Securities Administrators (CSA) released for comment a revised National Instrument (NI) 52-109 - Certification of Disclosures in Issuers’ Interim and Annual Filings. The revised proposals sets out the CSA’s approach for reporting on the effectiveness on internal control over financial reporting (ICFR). To understand what this means and its implications, we asked Horwath Orenstein LLP.

The new proposals are effective for year-ends ending on or after June 30th 2008. In addition to the current certification requirements in place, key points that will have a significant impact on senior management are CEOs and CFOs are required to:

• evaluate the effectiveness of the issuer’s ICFR as of year end and disclose their conclusions in the annual MD&A
• disclose in the issuer’s annual MD&A the process for evaluating the effectiveness of ICFR
• disclose in the issuer’s MD&A reportable deficiencies in the design and operation of ICFR
• identify in the issuer’s annual MD&A the control framework used to design ICFR, or the fact that no framework was used
• disclose to the external auditors, board of directors and audit committee any fraud that involves management or employees involved in the issuer’s ICFR

In addition, the CSA also released Companion Policy NI 52-109CP which provides guidance on the design and evaluation of DC&P and ICFR. The proposed guidance suggests a top-down, risk-based approach for management to identify significant accounts and processes, determine financial reporting assertions, and evaluate the design of the components of ICFR.

What Are the Implications of the CSA Approach for Senior Management?

• CEOs and CFOs are now required to conduct an evaluation of their ICFR and conclude on its design and operating effectiveness based on a risk-based, systematic, and disciplined review process with sufficient documentation prepared to support their conclusions.
• It is not sufficient for CEOs and CFOs to rely on the internal control audit review performed by the external auditors as part of the year-end audit for the basis of their conclusion on the effectiveness of ICFR. The CEO and CFO are required to perform their own independent and objective review. The external auditor’s review of internal controls can be used to corroborate senior management’s conclusions, not replace it.
• The review of ICFR should be based on an internal control framework in order to evaluate the overall effectiveness of the design of the issuer’s internal controls. The most common internal control frame work is the Committee of Sponsoring Organizations (COSO) – Internal Control over Financial Reporting.
• Sufficient due diligence should be performed during the review process to support senior management’s assertion that a robust investigation was performed on the effectiveness of ICFR and at a minimum, meets the CSA Companion Policy NI 52-109CP requirements for certification.
• The review of ICFR should consider the possibility of fraud as it relates to individuals responsible for internal controls and corporate governance.\
• The audit committee should understand senior management’s review process for ICFR and ensure that reportable deficiencies are appropriately disclosed in the MD&A. This is particularly important given the civil liability action provisions of Bill 198 for secondary market disclosure.

180 View – If you have questions, we suggest you call Rob Crawford, who is the Director of Risk Management Services at Horwath Orenstein LLP. Robert can be reached at 416-596-6767 Ext 252