Deloitte & Touche LLP   Deloitte & Touche LLP
Global > Canada > Services > CEO/CFO Certification    
CEO/CFO certification for Crown corporations
How certification can enhance the accountability of public sector organizations
Nancy Rector and Keith Davis

The Treasury Board of Canada Secretariat (TBS) recently released its report on Crown corporation governance. In that report, TBS stated that the government supports the use of a certification regime and will examine, in consultation with Crown corporations, the development of a certification regime that would be applicable to all Crowns.

While the TBS report did not specify certification requirements, it did make reference to private sector certification regulations, such as the United States’ Sarbanes-Oxley Act of 2002 and the equivalents issued by the Canadian Securities Administrators. In the private sector, recent business scandals have found executives testifying that they were “unaware” of dubious activities — such as off-the-book partnerships and improper revenue recognition — carried on by their companies. The private sector certification regulations aim to discourage such claims through a number of measures targeted at strengthening internal checks and balances and enhancing accountability; most notably, the regulations focus heavily on the critical role of “internal control.”

Internal control is a process, put into effect by a company’s board of directors, management, and other personnel, which drives business success with regards to the effectiveness and efficiency of operations, the reliability of financial reporting, and compliance with applicable laws and regulations. The certification regulations make CEOs and CFOs explicitly responsible for establishing, evaluating, and monitoring the effectiveness of internal control over financial reporting and disclosure. In addition, the independent auditors of impacted private sector companies will now be required to issue a separate report that attests to management’s assertion on the effectiveness of internal controls and procedures for financial reporting.

So while the specific Crown corporation certification requirements are still to be determined, the TBS report indicated the desire to have the governance system for Crown corporations to be as robust as their private sector counterparts, leading one to believe that similar certification requirements are likely in the future for Canada’s federal Crown corporations. On top of that, the TBS report indicated that it felt that Crown corporation accountability would be further enhanced by requiring chairs, on behalf of boards of directors, to certify performance of key responsibilities accorded to them. This concept goes beyond private sector requirements and underscores the current climate of increased focus on transparency and accountability in the public sector.

Regardless of the specific requirements, one thing is certain — complying with certification requirements is complex and requires significant time and effort. Some Crown corporations have already started to explore and have begun the scoping activities required in this area. It would be prudent for the others to follow their lead without further delay. Given the experience of the private sector in this area, it would be equally prudent for Crown corporations to leverage the lessons learned from those who have already complied with certification requirements.

12 tips for getting started on certifying Crown corporations
Based on our experience assisting both private and public sector organizations, we offer 12 tips for getting started with certification projects:

  1. Set the tone from the top
    Given the fact that there is likely to be a requirement to repeat the control assessment process on a recurring basis, Crown corporations need to ensure there is strong support for certification efforts from the highest level of senior management. If executives embrace the certification program as an opportunity to improve internal communication as well as to provide accountability for public disclosures, then the program has the potential to have a positive and significant impact on the quality of reporting and internal control.
  2. Begin with the end in mind
    It is imperative to determine your compliance vision early, and define where you ultimately want to go with your compliance initiative. Do you want to be a leader in corporate governance? Or do you just want to execute the minimum possible to comply? If the private sector is any indication, Crown corporations can anticipate that additional certification and attestation requirements are coming, so plan your activities accordingly.
  3. Select a suitable internal control framework
    To meet the objectives of private sector certification requirements, many private sector companies have built their internal control structure around the recommendations of the Committee of Sponsoring Organizations of the Treadway Commission (COSO). While other frameworks for internal control exist, COSO has become the dominant model for certification programs. As such, Crowns should strongly consider adopting COSO for its certification activities to be able to better leverage tools and templates developed for private sector certification initiatives.
  4. Execute comprehensive scoping activities
    It is critical to undertake a detailed scoping exercise prior to conducting documentation or testing activities. Many organizations have found they embarked on documentation and testing too soon without first executing the appropriate scoping activities. As a result, their activities were inefficient and did not focus on the required areas. Crowns can learn from the private sector and take the opportunity to clearly scope out required documentation and testing activities before “jumping in.”
  5. Embed strong project management
    A dedicated project manager should be assigned to the initiative (at least 75% dedicated) to ensure strong project management. A detailed project plan should be prepared with timelines and assigned accountabilities. Proper sequencing of activities is crucial and the timely involvement and input from stakeholders is a strong determinant of success.
  6. Involve your external auditors throughout
    Given the private sector requirement for auditor attestation, it is foreseeable that Crown corporation external auditors may eventually be asked to play a similar role. As such, it is important that your external auditor be involved at the appropriate checkpoints to provide both input and feedback on management’s certification activities. Involvement at the appropriate points in time will help to minimize your certification risk as well as your costs of compliance.
  7. Ensure visible support from key stakeholders throughout the initiative
    Certification is not simply a CEO and CFO issue. Nor is it simply a finance and accounting issue. And it is certainly not an internal audit issue. Certification is a business issue requiring the active support of executive management and the audit committee. Appropriate messaging delivered at the right times from these key stakeholders is critical to success.
  8. Deploy resources with the appropriate skills and background
    Identifying, documenting and assessing internal controls over financial reporting and disclosures require specialized internal control skills. Do not simply assign available resources to the project without first determining whether these individuals have the necessary competencies to complete the project activities. Deploying individuals (either internal resources or qualified external consultants, if required) with the appropriate skills and background will minimize inefficiencies and re-work as well as your certification risk.
  9. Tackle complex areas sooner rather than later
    Too often companies begin to address complex areas such as information technology too late in the process. Information technology, for example, is pervasive with far-reaching impacts on financial reporting. In addition, weaknesses in general computer controls tend to be more significant due to their pervasiveness and are more difficult to address. As a result, these issues should be identified early on in the initiative to allow sufficient time for remediation.
  10. Consider creating and empowering a disclosure committee
    The formation of a disclosure committee represents one of the most important controls that an organization can implement. The disclosure committee performs numerous functions, including reviewing required filings, recommending parameters for disclosure, overseeing disclosure processes, and reviewing control deficiencies and material weaknesses with the CEO and CFO.
  11. Realize business benefits beyond compliance
    Successful organizations view certification as an opportunity to drive business benefits from their significant compliance investment. Whether through small process or control changes or through major infrastructure enhancements, the internal control assessment activities provide an excellent opportunity to improve process performance.
  12. Educate the board and audit committee on risks and control activities
    The degree to which audit committees are now expected to understand the nature of financial reporting risks and the function of internal control has increased. Board and audit committee members should review and appropriately challenge management’s performance of compliance procedures. As well, provide board and audit committee members with ongoing education programs.

Restoring trust in public sector organizations
Recent events, both in the private sector and the public sector (such as the sponsorship scandal within the Government of Canada arena) have placed us in a unique period in history with respect to stakeholder expectations for improved governance and improved accountability, transparency and overall corporate responsibility. The need to link sound corporate governance to effective internal control activities has never been clearer. In terms of restoring public confidence in private sector financial markets and in government spending, there has never been more at stake.

Leading organizations will recognize that they are operating in a new environment — one that demands more effort and accountability. As such, Crown corporations should factor the cost of developing a certification program into their business models. Good internal control should not be seen as a one-time expense; rather, it fundamentally changes the cost of doing business. And while some organizations may be tempted to show superficial compliance with certification requirements, such an approach may backfire if controls fail because form was stressed over substance.

Forward-thinking organizations and their executives will seize the opportunity. Those who fail to act may pay a heavy price.

 View more articles on CEO/CFO certification
Contact us for more information about this topic.
 
Source: Deloitte & Touche LLP - Canada (English)
Aussi disponible en : Français

Print this page    Email To A Colleague
  Security | Legal | Privacy    

© 2008 Deloitte & Touche LLP and affiliated entities.

Deloitte, one of Canada's leading professional services firms, provides audit, tax, consulting, and financial advisory services through more than 7,700 people in 57 offices. Deloitte operates in Québec as Samson Bélair/Deloitte & Touche s.e.n.c.r.l. Deloitte is the Canadian member firm of Deloitte Touche Tohmatsu.

Deloitte refers to one or more of Deloitte Touche Tohmatsu, a Swiss Verein, and its network of member firms, each of which is a legally separate and independent entity. Please see www.deloitte.com/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu and its member firms.

Bookmark