Internal Control 2006: The Next Wave of Certification – Guidance for Management

Certification by CEOs and CFOs as to the accuracy of their firms’ financial statements is required by the Canadian Securities Administrator (CSA). As a result, the Risk Management and Governance (RMG) Board of the Canadian Institute of Chartered Accountants (CICA) has put together a series of guides to help CEOs and CFOs fulfill their responsibilities regarding the signing of certificates. Certification consists of two steps: disclosure controls, and internal controls over financial reporting. Such controls should ensure that information provided in financial statements complies with GAAP; accurately reflects the firms operations; and that unauthorized transactions are prevented, or at least detected, to prevent error in financial statements.

This is the third guide in a series of four, and corresponds to the 3rd stage of the certification process. The first stage was introduced in 2004, and required that CEOs and CFOs personally certify that the information contained in their financial statements was, to the best of their knowledge, accurate. The second phase introduced in 2005 required that CEOs and CFOs certify that they had designed disclosure controls for the purposes of ensuring the accuracy of information contained in their statements; and had evaluated the designs of their subsidiaries’ disclosure controls. This third stage, mandatory for all 2006 Canadian financial statements, required that CEOs and CFOs also include in their certificates that they had disclosed in their MD&A any change in internal controls over the last financial period if they materially affected (or were expected to affect) the statements. The next and final phase, expected in 2007, will require CEOs and CFOs to certify that they have evaluated the operating effectiveness of their internal controls, the conclusions of which must be included in the MD&A.

Besides discussing the background and details of the steps involved in the certification process, the guide explains this top-down, risk based process and includes a methodology for assessing whether the design of the internal control processes do in fact minimize the possibility of inaccurate reporting. It explores the implications of certification for firms at different stages of growth (firms at different stages require different internal control designs), specifically highlighting the challenges facing start-ups with resource and skill limitations. Since recent scandals have demonstrated that internal controls over financial reporting depends on the integrity of the CEO, the guide emphasizes the importance of the process being driven by the CEO, in order to set an appropriate “tone at the top”. It recognizes the need for internal controls for financial reporting to be built upon a sound methodological foundation; and integrated within management’s ongoing control activities.

In addition, the guide explains that audit committees and external auditors are not required to review or approve the CEO or CFO certificates, but that external auditors are required to review the MD&A. It makes recommendations about the differing degrees to which external auditors and audit committees can become involved/ aware of internal control designs and procedures to best ensure their effectiveness.

Importantly, the guide stresses that firms are encouraged to include disclosures about internal controls in all public documents, and not only those that are required to be filed with the securities regulator. It advocates that all weaknesses in the design of financial reporting controls should be reported in the MD&A, as well as the plans to rectify them.

The guide explains that in 2006, reporting a material weakness in reporting design will prevent CEOs and CFOs from signing a certificate as to the effectiveness of their control design. However, it goes on to state that this has been identified as an issue that is currently being attended to by the CSA, which is expected to provide guidance in the future. Finally, the guide touches on the roles of boards of directors in internal control design. Boards have the responsibility to shape sound corporate governance principles; to identify the principal risks of the business; and to set appropriate expectations for business conduct. CICA has also put together a companion guide for directors regarding their responsibilities in ensuring that systems are in place to report accurately.

Goodfellow, J.L.; and Willis, A.D. 2006. “Internal Control 2006: The Next Wave of Certification – Guidance for Management”. The Canadian Institute of Chartered Accountants, Toronto.