Internal Control Certification – How is your company progressing?

After December 15, 2008, TSX-listed companies (non-venture issuers) are required to certify on the operating effectiveness of their internal control over financial reporting. Because of the responsibilities of audit committees and boards of directors regarding financial disclosures and MD&A, both parties are affected by their company’s certification process.  
In our experience with SEC registrants complying for the first time with similar requirements under the Sarbanes-Oxley Act (SOX), an audit committee taking an active oversight role contributed significantly to a more effective certification process.

When KPMG invited TSX-listed companies to self-assess their readiness to certify, management of 60 companies participated. In addition to requesting that they evaluate their progress in preparing for certification, we also asked what activities their audit committees were performing or planned to perform in overseeing management’s certification process. Although these self-assessments were completed from July through August 2008, the results can continue to stimulate ideas for audit committees. 

The assessments show significant differences between the readiness of very large companies (revenues over $1 billion) and smaller companies (revenues under $ 50 million). Based on our findings, if audit committee members of smaller companies have not been questioning management on their readiness for certification, they should seriously consider taking a more active oversight role.

Is your company ready to certify?
We looked at four key stages of a company’s readiness to certify in compliance with Canadian requirements. For each stage, the companies that completed the self-assessment rated their level of readiness as either “early stages,” “significant progress” or “virtually complete.” We recognize that these companies will have continued to move forward, but the following table provides a “snapshot in time,” showing their assessment of their progress in July/August 2008:

Larger companies tended to be further ahead in the process, perhaps because the size and complexity of their operations often requires them to plan more extensively for certification. Smaller companies tended to be in the very early stages of evaluating the design and operating effectiveness of controls. In addition, many smaller companies actually reported that they were in the early stages of identifying qualified resources to perform the evaluation. What are the implications for audit committees? Audit committees should discuss with management whether they have adequate qualified resources to complete the certification project. 

Overall, the IT aspects of certification appeared to be lagging. Many participating companies indicated they were in the early stages of determining what IT applications were in scope, documenting IT general and application controls, and determining how to evaluate IT controls. This finding is consistent with that experienced during the first year of SOX implementation. IT specialist help may be necessary. Alternatively, companies with low IT dependence may find that simply focusing on manual monitoring and reconciliation controls would be a more efficient approach. 

In evaluating the design and operating effectiveness of controls, almost half of the companies (and a much larger proportion of smaller companies) said they were in the early stages of actually testing controls. Our previous experience with SOX showed that most deficiencies come to light during this phase. Companies that delay the testing process will have less time to remediate any control deficiencies that they identify. 

In the managing and reporting deficiencies phase, areas with less progress included aggregating and evaluating deficiencies, communicating findings to the audit committee and drafting relevant disclosures. However, given that many companies were testing controls at the time of completing their self-assessments, these processes could not have been completed.

How can the audit committee provide active oversight?
We asked companies about activities of their audit committees in overseeing management’s certification process. We also asked whether management or the audit committee had engaged external assistance. 

The table below highlights the commenced and/or planned activities of the audit committee.   

These results show the average response for all participant companies. Company size did make a difference—audit committees of very large companies were significantly more actively involved in the certification process than those of smaller companies. Their level of involvement may contribute to these companies being further ahead in the certification process.   

Audit committees appear to be least involved in reviewing detailed process level documentation. This finding is consistent with our experience in first-time SOX compliance. Approximately 40% of all participant companies had engaged external assistance from either their auditor or a third party.

Guidance to the certification rule indicates that, to provide reasonable assurance for the approval of an issuer’s MD&A disclosure concerning internal control over financial reporting, the board of directorshould understand the basis upon which the certifying officers concluded that any particular deficiency or combination of deficiencies did or did not constitute a material weakness. Based on this guidance from the Canadian Securities Administrators, before recommending the board’s approval of the annual MD&A, audit committee members should monitor management’s progress and discuss with management any deficiencies and their assessment of such deficiencies. The audit committee should also ensure that management’s report included in the MD&A is consistent with the company’s evaluation.

Changes in Internal Control over Financial Reporting
MD&A should also disclose any changes in internal control over financial reporting that materially affected or are reasonably likely to materially affect the issuer’s internal control over financial reporting. A change in internal control over financial reporting that is made to remediate a material weakness would generally be considered a material change; however, disclosure may be required for other reasons. Limited guidance exists in Canada or the US for determining what is a material change. Audit committee members may wish to discuss with management what process is in place to identify changes in internal control over financial reporting and how such changes are being evaluated against materiality. In evaluating changes, considerations could include:

• What changes are pervasive and cover multiple accounts? (for example, a major conversion involving an enterprise-wide system)
• What changes have been made that might affect a material risk to the reporting process? (for example, anti-fraud controls put in place to enhance the control environment, such as the introduction of code of conduct annual sign-offs)
• How extensive are the changes relative to material accounts or risks? Is the change a complete overhaul that includes both information technology changes and process flow, or are the changes more selective “tweaking”?
• What changes have been made to the more important key controls, particularly those involving significant judgments? (for example, new or changed personnel who were necessary to handle complex accounting areas such as financial instruments, revenue recognition or accounting for income tax)
• Where are there less significant changes that may, in the aggregate, be considered material?
  

Conclusion
We emphasize that, as demonstrated by our experience with SEC registrants complying with the Sarbanes-Oxley Act for the first time, an active oversight role by the audit committee can significantly contribute to a more effective certification process. We encourage audit committee members of TSX-listed companies to continue their dialogue with management to ensure that an appropriate plan and necessary resources are in place for the company to complete its evaluation and certification of internal control over financial reporting. The effective date for most companies is quickly approaching.

KPMG LLP (Canada) automatically sends these e-mail alerts to people who request them. You may request these e-mail newsletters by signing up at www.kpmg.ca/accountability or by clicking this link.