The past few years have heralded significant changes for CEOs and CFOs of public companies in terms of greater and expressed accountability for internal controls. While there has always been a fiduciary responsibility regarding internal control and a requirement to disclose material facts, the accountability link to the CEO and CFO for these matters has now been made explicit through the introduction of certification requirements and new legislation concerning liability for continuous disclosure.

For Canadian registrants, a final element in these management certifications remains – certification with respect to the operating effectiveness of internal control over financial reporting (ICFR). On March 30, 2007, the Canadian Securities Administrators (CSA) released a Notice and Request for Comments – Proposed Repeal and Replacement of MI 52-109, Forms 52-109F1, 52-109FT1, 52-109FT2, and Companion Policy 52-109CP Certification of Disclosure in Issuers’ Annual and Interim Filings.  In addition to repealing Multilateral Instrument 52-109 and its associated CEO and CFO certificates, the notice includes the following:

• National Instrument 52-109 Certification of Disclosure in Issuers’ Annual and Interim Filings
• New and expanded forms/certificates to be filed by an issuer’s CEO and CFO
• Companion Policy 52-109CP

Among other things, the above materials propose that an issuer’s certifying officers be required to provide certifications that they have evaluated, or caused to be evaluated under their supervision, the effectiveness of the issuers’ internal control over financial reporting (ICFR) as of the financial year end.  They will also have to certify that the issuer has disclosed in its annual MD&A:

• Conclusions about the effectiveness of ICFR at the financial year end
• A description of the process used to evaluate the effectiveness of ICFR
• A description of any reportable deficiency relating to the operation of ICFR existing at the financial year end
• The issuer’s plans, if any, to remediate reportable deficiencies relating to operation of ICFR

The above proposals would apply to all reporting issuers other than investment funds and it is proposed that they would be effective for financial years ending on or after June 30, 2008.

While the additional CEO and CFO certifications with respect to the operating effectiveness of ICFR will not be effective before 2008, issuers are reminded of their existing responsibility for internal control and that it would not be prudent to take great comfort in the fact that certification with respect to these responsibilities is not currently required. The responsibilities of management and officers regarding internal control are implied to a large extent through existing fiduciary responsibilities – responsibilities that are now regularly receiving much more attention by regulators and the courts. Accordingly, issuers that have not completed their design and operating effectiveness assessments of internal control over financial reporting should continue with or accelerate their efforts.

Preparation activities should include the following key steps:

1. Updating the company’s financial reporting risk assessment (possibly integrating operational and other business risks for additional business benefits beyond compliance) to ensure completeness and accuracy, 
2. Ensuring that the population of controls considered by management include only those controls that provide for an effective and efficient design necessary to prevent or detect errors material to the presentation of the financial statements, in accordance with Generally Accepted Accounting Principles (GAAP), and
3. Developing a strategy for assessing/testing the operational effectiveness of ICFR.

Updating the risk assessment

A comprehensive and robust financial reporting risk assessment is critical to ensuring that the company’s compliance activities appropriately address key risk areas. In many cases, an initial risk assessment may have been completed several months ago or longer and, as a result, a “refresh” should be considered to ensure the completeness and accuracy of identified risks. To the extent that a comprehensive risk assessment has not previously been performed, companies should complete the risk assessment as one of their first steps in preparing for the ICFR operating effectiveness certification.

Financial reporting risks should be assessed and prioritized on the basis of significance and inherent likelihood. The assessment of significance relates to the impact that the particular risk would have on the company’s ability to provide reliable financial reporting in accordance with GAAP. The assessment of inherent likelihood refers to the probability of a material misstatement in the absence of controls specifically designed to prevent or detect the misstatement. For example, the risk of inadequate GAAP knowledge, if left unmitigated, would be viewed as having a significant impact on the ability of the company to provide reliable financial reporting in accordance with GAAP.

In terms of the likelihood of this risk occurring, the probability will depend on factors specific to the company. For example, this risk is often viewed to be more likely in smaller organizations with relatively fewer employees and accounting personnel or in certain industries or companies where the accounting tends to be more complex due to the nature of the company’s operations. In situations where the risk is viewed to be a key risk, management should ensure that the appropriate controls are designed, implemented and operating effectively to mitigate the risk to an acceptable level. For additional business benefits beyond compliance, issuers should consider incorporating operational and other business risks, beyond financial reporting risks, into the risk assessment activities.

Selecting an effective and efficient control set

The scope of management’s assessment is left to management’s judgment, pursuant to Multilateral Instrument 52-109. Companies should ensure that the population of internal controls being assessed for certification purposes is effective and efficient in addressing the key financial reporting risks identified through management’s risk assessment activities. Often referred to as “control rationalization”, this activity includes assessing both the number and nature of key controls considered by management to be necessary to prevent or detect errors material to the presentation of the financial statements in accordance with GAAP.

An appropriate set of internal controls will help to ensure that the company’s compliance activities not only address critical financial reporting risks, but do so in an efficient manner. Experience shows that many companies identified and documented more controls than required to address key financial reporting risks or placed excessive reliance on high-level relatively imprecise controls. And in many situations, controls in low risk areas were unnecessarily identified, documented and assessed rather than selecting and assessing more efficient controls that, for example, monitor the ongoing design and operation of such controls. The focus in low risk areas has not only been costly but has, in some cases, resulted in a lack of focus on the more critical controls necessary to prevent or detect material financial reporting errors such as those directed at reducing the risk of errors in management’s estimates or the risk of management override. The proposed management guidance and proposed new internal control auditing standard released late in 2006 by the Securities and Exchange Commission and Public Company Accounting Oversight Board, respectively, stress these points, encouraging and requiring more of a top-down risk-based approach to compliance.

For more information about control rationalization, please refer to Deloitte’s CEO/CFO Certification News, Rationalizing your internal controls, published in November 2005.

Developing an assessment/testing strategy

The purpose of the assessment/testing strategy is to establish the company’s basis for their assessment with respect to the operating effectiveness of controls. A well-defined strategy includes guidelines for the nature, extent and timing of management’s internal control assessments. A well-defined strategy also serves as the foundation to help drive consistency in management’s control assessments.

The assessment strategy should be aligned with management’s overall top-down risk-based approach by taking into account the nature of the control and the related risk that the control is designed to mitigate. Companies should plan to address all key financial statement assertions, as well as primary areas where financial statement misstatements could occur. The assessment strategy should provide guidelines for the consideration of relative risk and the established acceptable level of confidence that management strives to achieve. The assessment strategy should provide guidance on how to consider the nature of a particular control, the frequency of its operation and its relative importance. This will allow companies to optimize the efficiency and effectiveness of their compliance program by ensuring that the nature, extent and timing of the assessments are appropriately considered.

Nature, extent and timing of management’s assessments

In determining an appropriate assessment approach, management should carefully examine its existing supervisory and monitoring procedures to determine whether existing procedures can be leveraged as part of the company’s assessment approach. It may be possible to minimize the extent of incremental assessments required by formalizing existing supervisory and review practices and enhancing the evidence retained, for example, reconciliations and the completion and follow up on exception reports.

Ultimately, the nature, extent and timing of management’s assessment should be customized based on risk as well as the type of control and the manner in which its operating effectiveness is best assessed. Auditors rely on testing and use the following four techniques whereas management may choose to use these techniques along with other assessment options at their disposal such as monitoring controls:

• Inquiry: An inquiry involves conducting oral or written interviews with people who are knowledgeable about particular controls. Although inquiry alone may be sufficient for low-risk controls, it should generally be corroborated and supplemented by other assessments for controls related to higher risk areas
• Document examination: Depending on the control activity under review, management may want to review documents and reports that provide evidence of the adequacy of the activity’s performance
• Observation: Another common assessment method involves witnessing the application of a control activity in as it is being performed to gain a first-hand understanding of its operating effectiveness
• Re-performance: This assessment technique involves repeating the application of all, or a portion, of the control activity to assess its effectiveness

As previously discussed, it may be possible for management to develop an efficient and effective assessment approach by leveraging existing supervisory and monitoring controls already in place within the company. For example, with respect to account reconciliations, the company’s controller may already execute some or all of the above assessment techniques through the conduct of his or her existing supervisory responsibilities. Inquiries of those performing the reconciliations and a review of the reconciliations may well occur on a regular basis already. In such situations, a significant opportunity exists to leverage these assessment procedures. The extent of incremental work may simply be the formal documentation of the results and conclusions from the application of these procedures.

The next key element in developing an effective and efficient assessment approach is the extent of assessment required. The extent of assessment involves determining the number of instances of the control activity that management should assess in order to reliably assert that the particularly control activity is operating effectively. The extent of assessments should vary with the frequently of the control activity and the relative risk addressed by the control. The company’s assessment strategy should contain guidance to help determine the extent of control instances to assess. It is also advisable to include guidance with respect to the assessment impact when exceptions are found. In other words, if exceptions are found, should additional control instances be reviewed or should the control be viewed as ineffective and remediation plans put in place. Ultimately, this guidance should be reflective of management’s tolerance for inaccurately asserting control effectiveness.

Finally, in developing the assessment strategy, management should determine the timing of the assessments. Ideally, assessments should occur on an ongoing basis throughout the year and should be built into daily routines, with sufficient focus toward the end of the year to enable the year-end certifications. By apportioning the assessments throughout the year, management can identify control deficiencies on a timely basis to provide the opportunity for remediation and reassessment prior to year-end.

Leveraging lessons learned

When developing a strategy for assessing ICFR operating effectiveness, management should consider the following lessons learned:

• Engage in top-down risk-based scoping. Scoping directly affects the level of effort required to execute an operating effectiveness assessment. To ensure an appropriate focus on the areas of greatest risk, an effective risk assessment and scoping is critical.
• Develop high-quality control documentation. Without high-quality documentation, companies are often forced to engage in time-consuming inquiries to further understand the nature of the control or update the control descriptions before they can develop effective assessment procedures.
• Rationalize controls. Not every control needs to be assessed for operating effectiveness. Undertake a control rationalize approach to ensure key controls are assessed with an appropriate focus on entity and company level controls.
• Develop documentation standards governing the assessment procedures. The documentation of the results of the application of the assessment procedures is important evidence to support management’s operating effectiveness conclusions. Documentation standards help to ensure consistency and avoids costly rework and follow-up.
• Develop templates or employ enabling software. An important success factor is the use of templates to help facilitate the conduct and documentation of the procedures. As a further enhancement, companies should look to an enabling certification software solution to further increase the efficiency and effectiveness of the assessments. Many options exist in the market for continuous controls monitoring solutions and tools that serve as documentation repositories.
• Deploy senior resources with the appropriate financial reporting skills and experience. Not everyone has the expertise to assess the operating effectiveness of controls. Companies that plan to utilize assistance from personnel who lack the necessary skills should ensure that appropriate training and support are provided. Keep in mind that different assessment roles will require different individual skills and experience. For example, more experience is typically required to plan and develop the required assessment approach and procedures as compared to executing the assessment activities.
• Leverage existing supervisory or monitoring controls to minimize incremental assessment work. As previously discussed, a significant opportunity exists to minimize the extent of “net new” assessment work and the associated cost of compliance through the identification of existing assessment practices already in place within the company.
• Consider the implications for reporting. Management should consider the reporting obligations arising from its assessment activities. These considerations should include the extent to which identified control weaknesses and/or material changes in internal controls require external disclosure in the company’s Management Discussion & Analysis.

In summary, preparing for the expected internal control operating effectiveness certifications requires careful planning built on a rationalized foundation of key controls. In order to truly employ a top-down risk-based approach to compliance, companies should develop an assessment approach that varies in the nature, extent and timing of the assessment procedures based on risk and leverages existing supervisory and review procedures already established within the company. With careful planning and a focus on the important areas, companies can position themselves well for success in managing their financial reporting risk and issuing the required CEO and CFO certifications with confidence.

Deloitte podcast: Same end game, different approach

Deloitte Partner Terry Hatherell discusses the inherent challenges — and advantages — of compliance for smaller public companies in Deloitte's podcast . Learn how CEOs and CFOs of smaller companies can build a streamlined, sustainable approach to certification from the start.