Post on 24-May-2015
transcript
12-Sep-06
GNA Consulting Group Ltd.GNA Consulting Group Ltd.CEO/CFO Certification – An IT Audit Perspective
Brent Shirley, B. Comm., MBA, CAIT/CISA, CMC
James McGregor, B. Comm., MBA
212-Sep-06
CEO/CFO CertificationCEO/CFO Certification
CEOs and CFOs of Canadian public companies are required to “certify”
the design (documentation) and evaluation (testing) of disclosure controls and procedures (DCP) -
SOX 302, MI 52-109 and internal control over financial reporting
(ICFR) - SOX 404, MI 52-109 enhanced. (Note MI 52-111 has been withdrawn)
312-Sep-06
WhyWhy Many DCP/ICFR failures in recent years
US Examples - Enron, WorldCom, QWest, Global Crossing, Duke Energy, Tyco, Xerox, Sunbeam, HealthSouth, Freddie Mac, Parmalat, Shell, Goodyear, etc., etc.
Canadian Examples - Nortel, Livent, Bre-X, YBM Magnex, Corel, Laidlaw, Hollinger, CP Ships, etc., etc.
412-Sep-06
WhatWhat
Certification Signed by the CEO and CFO in the prescribed format (no changes are allowed.)
Example Certifications: Microsoft Corporation TELUS Communications Inc.
512-Sep-06
Which Companies Must CertifyWhich Companies Must Certify Certification of Disclosure Controls and Procedures
Currently CEOs and CFOs of most US and all Canadian public companies must certify the design and evaluation of DCP.
Certification of Internal Control Over Financial Reporting CEOs and CFOs of US companies – Accelerated Filers and Canadian
companies that file a 10-K/10-Q have had to certify the design and evaluation of ICFR for the at least the last two years. In addition an audit attestation has been required.
CEOs and CFOs of Canadian companies filing in the US using a 20-F or 40-F that are Large Accelerated Filers ($700 million or more market capitalization) and with year ends ending on or after July 15, 2006 must now certify the design and evaluation of ICFR. In addition an audit attestation is required. One year delay for other Canadian Accelerated Filers (between $75 and $700 million market capitalization).
CEOs and CFOs of all other Canadian public companies (not filing in the US) with year ends ending on or after June 30, 2006 must now certify the design of ICFR. The certification of the evaluation for ICFR will at the earliest be required for years ending on or after December 31, 2007 but will not require audit attestation.
Note: Dates and rules continue to change and current requirements should be confirmed with legal counsel.
612-Sep-06
Consequences/PenaltiesConsequences/Penalties
Regulator Enquiry and Investigation Re-filing and Press Release Audit Committee/Board Investigation Fines Delisting Third party legal action/class action Jail
712-Sep-06
An ExampleAn Example
What Can Go Very Wrong
812-Sep-06
Definition of DCPDefinition of DCP
Definition of Disclosure Controls and Procedures (DCP) – MI 52-109
Means controls and other procedures of an issuer that are designed to provide reasonable assurance that information required to be disclosed by the issuer in its annual filings, interim filings or other reports filed or submitted by it under provincial and territorial securities legislation is recorded, processed, summarized and reported within the time periods specified in the provincial and territorial securities legislation and include, without limitation, controls and procedures designed to ensure that information required to be disclosed by an issuer in its annual filings, interim filings or other reports filed or submitted under provincial and territorial securities legislation is accumulated and communicated to the issuer’s management, including its CEOs and CFOs, as appropriate to allow timely decisions regarding required disclosure.
912-Sep-06
What Needs To Be Done For Management To Certify DCPWhat Needs To Be Done For Management To Certify DCP
Disclosure Controls and Procedures (DCP) Certification - Design
Define and document disclosure universe and processes (and controls) followed to prepare
10-K, 10-Q, MD&A, Certifications, Annual Report, AIF, Prospectuses, etc.
Consider Earnings Press Release, Press Releases Containing Financial Information, etc.
Consider Websites, Investor Presentations, Health and Safety Reports, etc.
Consider any other public disclosure determined by management to be “material”
1012-Sep-06
What Needs To Be Done For Management To Certify DCPWhat Needs To Be Done For Management To Certify DCP
Disclosure Controls and Procedures (DCP) Certification - Design
Consider sub-certification by key players CIO may be asked to certify on his/her area of
responsibility
Consider Disclosure Committee Consider Disclosure Policy Consider Audit Committee Role
1112-Sep-06
What Needs To Be Done For Management To Certify DCPWhat Needs To Be Done For Management To Certify DCP
Disclosure Controls and Procedures (DCP) Certification - Evaluation
Prepare an Evaluation (Test) Plan Identify Significant Disclosures to Review Gather and Review
Material supporting disclosures – words and numbers Disclosure Committee minutes/approvals Timing of disclosure Interview key participants
Prepare Evaluation Report
1212-Sep-06
IT Audit PerspectiveIT Audit Perspective
Disclosure Controls and Procedures (DCP) Certification - Consider
Controls over spreadsheets and databases that produce numbers for disclosure – e.g. share capital, options, production statistics, market analysis – accuracy and completeness.
Controls over presentation used for analyst calls and industry updates – e.g. PowerPoint links to spreadsheets and databases, version control, avoid selective disclosure.
Controls over corporate websites – e.g. timing of posting, current data consistent with other disclosures and other websites, reference to current code of conduct, corporate governance information, whistler blower process, avoid selective disclosure.
1312-Sep-06
Definition of ICFRDefinition of ICFR Definition of Internal Controls over Financial Reporting
(ICFR) – MI 52-109 Means a process designed by, or under the supervision of,
the issuer’s CEOs and CFOs and effected by the issuer’s board of directors, management and other personnel, to provide reasonable assurance regarding the reliability of financial reporting and preparation of financial statements for external purposes in accordance with the issuer’s GAAP and includes the policies and procedures that:
(a) pertain to maintenance of records that in reasonable detail accurately and fairly reflect the transactions and dispositions of the assets of the issuer.
(b) provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in accordance with the issuer’s GAAP, and that receipts and expenditures of the issuer are being made only in accordance with authorizations of management and directors of the issuer, and
(c) provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use or disposition of the issuer’s assets that could have a material effect on the annual financial statements or interim financial statements.
1412-Sep-06
What Needs To Be Done For Management To Certify ICFRWhat Needs To Be Done For Management To Certify ICFR
Create a Project Project Sponsor Project Charter Steering Committee Staffing – Internal versus External
Select Framework (COSO, Cobit) Decide on Scope
De-consolidation of Financial Statements Locations in Scope Business Processes in Scope (e.g. Revenue, Expenditures,
Investments, Capital Assets, HR and Payroll, Legal and Regulatory, Tax, Financial Statement Close, etc.)
1512-Sep-06
What Needs To Be Done For Management To Certify ICFRWhat Needs To Be Done For Management To Certify ICFR
Managing the Project Project Management Documentation
Narrative Flowchart
Design Evaluation – By Management Control Matrix Identify Key Controls
Testing Test Plans Test Key Controls
Remediation, Re-Testing Effectiveness Evaluation – By Management Audit Attestation (US Filers Only)
1612-Sep-06
What Needs To Be Done For Management To Certify ICFRWhat Needs To Be Done For Management To Certify ICFR
IT Perspective First need to identify applications
supporting the in scope business processes Next identify infrastructure/organization
supporting the applications Shared Services Regional / Departmental Computing Third Party Applications / ASP / etc.
1712-Sep-06
IT Entity Level ControlsIT Entity Level Controls
Entity Level Controls Tone at the Top Strategies and plans Polices and procedures Risk assessment Training and education Quality assurance Internal audit (IT Audit)
1812-Sep-06
General Computer ControlsGeneral Computer Controls
Controls over Software Acquisition and Development
Controls over Computer Operations Controls over Change Controls over Access (Security)
1912-Sep-06
General Computer ControlsGeneral Computer Controls
Groups Experience? What have the external auditors asked for? What gaps have been identified?
- Lack of risk assessment policy- Lack of change management policy
Common remediation steps?
2012-Sep-06
Application ControlsApplication Controls
To ensure: Completeness, Accuracy, Existence/Authorization,
Presentation/Disclosure
Examples Access controls within the application
- Control over changes to key tables and rates- Control over changes to key reports
Edit checks (alpha, data format, etc.) Balancing controls (will not let user post an unbalanced
journal entry.)
2112-Sep-06
End User ComputingEnd User Computing
Spreadsheets (Excel) Databases (Access) Presentation Software (PowerPoint) Considerations
Calculate versus Summarize Complex versus Simple Material versus non-material
Websites Consider controls over Disclosure – Timing of
posting of critical disclosures
2212-Sep-06
Argument for Automating ControlsArgument for Automating Controls
Testing of a Manual Control Sample Size 25 25*1hour*$150 per hour = $3,750 per year
Testing of an Automated Control Assuming good General Computer Controls Sample Size 1 1*2 hours*$150 per hour = $300 per year
90% Plus Saving per Control Selected for Testing
2312-Sep-06
SustainmentSustainment
Sustainment – Beyond year one Certification is an going effort – required every quarter. Move from project mode to processes imbedded in
business (methodology) supplemented by periodic testing
Move responsibility to business units Ongoing role of IT Audit to test management’s
documentation and evaluation processes used to support the CEO’s and CFO’s certification of DCP and ICFR
2412-Sep-06
GNA Consulting Group Ltd.GNA Consulting Group Ltd.GNA Consulting Group Ltd.
1500 – 701 West Georgia StreetVancouver, British Columbia
V7Y 1C6Canada
Phone: 604-683-1512Fax: 604-676-2725
brent.shirley@gnaconsulting.comjames.mcgregor@gnaconsulting.com
Web: www.gnaconsulting.com