12-Sep-06

GNA Consulting Group Ltd.GNA Consulting Group Ltd.CEO/CFO Certification – An IT Audit Perspective

Brent Shirley, B. Comm., MBA, CAIT/CISA, CMC

James McGregor, B. Comm., MBA

212-Sep-06

CEO/CFO CertificationCEO/CFO Certification

CEOs and CFOs of Canadian public companies are required to “certify”

the design (documentation) and evaluation (testing) of disclosure controls and procedures (DCP) -

SOX 302, MI 52-109 and internal control over financial reporting

(ICFR) - SOX 404, MI 52-109 enhanced. (Note MI 52-111 has been withdrawn)

312-Sep-06

WhyWhy Many DCP/ICFR failures in recent years

US Examples - Enron, WorldCom, QWest, Global Crossing, Duke Energy, Tyco, Xerox, Sunbeam, HealthSouth, Freddie Mac, Parmalat, Shell, Goodyear, etc., etc.

Canadian Examples - Nortel, Livent, Bre-X, YBM Magnex, Corel, Laidlaw, Hollinger, CP Ships, etc., etc.

412-Sep-06

WhatWhat

Certification Signed by the CEO and CFO in the prescribed format (no changes are allowed.)

Example Certifications: Microsoft Corporation TELUS Communications Inc.

512-Sep-06

Which Companies Must CertifyWhich Companies Must Certify Certification of Disclosure Controls and Procedures

Currently CEOs and CFOs of most US and all Canadian public companies must certify the design and evaluation of DCP.

Certification of Internal Control Over Financial Reporting CEOs and CFOs of US companies – Accelerated Filers and Canadian

companies that file a 10-K/10-Q have had to certify the design and evaluation of ICFR for the at least the last two years. In addition an audit attestation has been required.

CEOs and CFOs of Canadian companies filing in the US using a 20-F or 40-F that are Large Accelerated Filers ($700 million or more market capitalization) and with year ends ending on or after July 15, 2006 must now certify the design and evaluation of ICFR. In addition an audit attestation is required. One year delay for other Canadian Accelerated Filers (between $75 and $700 million market capitalization).

CEOs and CFOs of all other Canadian public companies (not filing in the US) with year ends ending on or after June 30, 2006 must now certify the design of ICFR. The certification of the evaluation for ICFR will at the earliest be required for years ending on or after December 31, 2007 but will not require audit attestation.

Note: Dates and rules continue to change and current requirements should be confirmed with legal counsel.

612-Sep-06

Consequences/PenaltiesConsequences/Penalties

Regulator Enquiry and Investigation Re-filing and Press Release Audit Committee/Board Investigation Fines Delisting Third party legal action/class action Jail

712-Sep-06

An ExampleAn Example

What Can Go Very Wrong

812-Sep-06

Definition of DCPDefinition of DCP

Definition of Disclosure Controls and Procedures (DCP) – MI 52-109

Means controls and other procedures of an issuer that are designed to provide reasonable assurance that information required to be disclosed by the issuer in its annual filings, interim filings or other reports filed or submitted by it under provincial and territorial securities legislation is recorded, processed, summarized and reported within the time periods specified in the provincial and territorial securities legislation and include, without limitation, controls and procedures designed to ensure that information required to be disclosed by an issuer in its annual filings, interim filings or other reports filed or submitted under provincial and territorial securities legislation is accumulated and communicated to the issuer’s management, including its CEOs and CFOs, as appropriate to allow timely decisions regarding required disclosure.

912-Sep-06

What Needs To Be Done For Management To Certify DCPWhat Needs To Be Done For Management To Certify DCP

Disclosure Controls and Procedures (DCP) Certification - Design

Define and document disclosure universe and processes (and controls) followed to prepare

10-K, 10-Q, MD&A, Certifications, Annual Report, AIF, Prospectuses, etc.

Consider Earnings Press Release, Press Releases Containing Financial Information, etc.

Consider Websites, Investor Presentations, Health and Safety Reports, etc.

Consider any other public disclosure determined by management to be “material”

1012-Sep-06

What Needs To Be Done For Management To Certify DCPWhat Needs To Be Done For Management To Certify DCP

Disclosure Controls and Procedures (DCP) Certification - Design

Consider sub-certification by key players CIO may be asked to certify on his/her area of

responsibility

Consider Disclosure Committee Consider Disclosure Policy Consider Audit Committee Role

1112-Sep-06

What Needs To Be Done For Management To Certify DCPWhat Needs To Be Done For Management To Certify DCP

Disclosure Controls and Procedures (DCP) Certification - Evaluation

Prepare an Evaluation (Test) Plan Identify Significant Disclosures to Review Gather and Review

Material supporting disclosures – words and numbers Disclosure Committee minutes/approvals Timing of disclosure Interview key participants

Prepare Evaluation Report

1212-Sep-06

IT Audit PerspectiveIT Audit Perspective

Disclosure Controls and Procedures (DCP) Certification - Consider

Controls over spreadsheets and databases that produce numbers for disclosure – e.g. share capital, options, production statistics, market analysis – accuracy and completeness.

Controls over presentation used for analyst calls and industry updates – e.g. PowerPoint links to spreadsheets and databases, version control, avoid selective disclosure.

Controls over corporate websites – e.g. timing of posting, current data consistent with other disclosures and other websites, reference to current code of conduct, corporate governance information, whistler blower process, avoid selective disclosure.

1312-Sep-06

Definition of ICFRDefinition of ICFR Definition of Internal Controls over Financial Reporting

(ICFR) – MI 52-109 Means a process designed by, or under the supervision of,

the issuer’s CEOs and CFOs and effected by the issuer’s board of directors, management and other personnel, to provide reasonable assurance regarding the reliability of financial reporting and preparation of financial statements for external purposes in accordance with the issuer’s GAAP and includes the policies and procedures that:

(a) pertain to maintenance of records that in reasonable detail accurately and fairly reflect the transactions and dispositions of the assets of the issuer.

(b) provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in accordance with the issuer’s GAAP, and that receipts and expenditures of the issuer are being made only in accordance with authorizations of management and directors of the issuer, and

(c) provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use or disposition of the issuer’s assets that could have a material effect on the annual financial statements or interim financial statements.

1412-Sep-06

What Needs To Be Done For Management To Certify ICFRWhat Needs To Be Done For Management To Certify ICFR

Create a Project Project Sponsor Project Charter Steering Committee Staffing – Internal versus External

Select Framework (COSO, Cobit) Decide on Scope

De-consolidation of Financial Statements Locations in Scope Business Processes in Scope (e.g. Revenue, Expenditures,

Investments, Capital Assets, HR and Payroll, Legal and Regulatory, Tax, Financial Statement Close, etc.)

1512-Sep-06

What Needs To Be Done For Management To Certify ICFRWhat Needs To Be Done For Management To Certify ICFR

Managing the Project Project Management Documentation

Narrative Flowchart

Design Evaluation – By Management Control Matrix Identify Key Controls

Testing Test Plans Test Key Controls

Remediation, Re-Testing Effectiveness Evaluation – By Management Audit Attestation (US Filers Only)

1612-Sep-06

What Needs To Be Done For Management To Certify ICFRWhat Needs To Be Done For Management To Certify ICFR

IT Perspective First need to identify applications

supporting the in scope business processes Next identify infrastructure/organization

supporting the applications Shared Services Regional / Departmental Computing Third Party Applications / ASP / etc.

1712-Sep-06

IT Entity Level ControlsIT Entity Level Controls

Entity Level Controls Tone at the Top Strategies and plans Polices and procedures Risk assessment Training and education Quality assurance Internal audit (IT Audit)

1812-Sep-06

General Computer ControlsGeneral Computer Controls

Controls over Software Acquisition and Development

Controls over Computer Operations Controls over Change Controls over Access (Security)

1912-Sep-06

General Computer ControlsGeneral Computer Controls

Groups Experience? What have the external auditors asked for? What gaps have been identified?

- Lack of risk assessment policy- Lack of change management policy

Common remediation steps?

2012-Sep-06

Application ControlsApplication Controls

To ensure: Completeness, Accuracy, Existence/Authorization,

Presentation/Disclosure

Examples Access controls within the application

- Control over changes to key tables and rates- Control over changes to key reports

Edit checks (alpha, data format, etc.) Balancing controls (will not let user post an unbalanced

journal entry.)

2112-Sep-06

End User ComputingEnd User Computing

Spreadsheets (Excel) Databases (Access) Presentation Software (PowerPoint) Considerations

Calculate versus Summarize Complex versus Simple Material versus non-material

Websites Consider controls over Disclosure – Timing of

posting of critical disclosures

2212-Sep-06

Argument for Automating ControlsArgument for Automating Controls

Testing of a Manual Control Sample Size 25 25*1hour*$150 per hour = $3,750 per year

Testing of an Automated Control Assuming good General Computer Controls Sample Size 1 1*2 hours*$150 per hour = $300 per year

90% Plus Saving per Control Selected for Testing

2312-Sep-06

SustainmentSustainment

Sustainment – Beyond year one Certification is an going effort – required every quarter. Move from project mode to processes imbedded in

business (methodology) supplemented by periodic testing

Move responsibility to business units Ongoing role of IT Audit to test management’s

documentation and evaluation processes used to support the CEO’s and CFO’s certification of DCP and ICFR

2412-Sep-06

GNA Consulting Group Ltd.GNA Consulting Group Ltd.GNA Consulting Group Ltd.

1500 – 701 West Georgia StreetVancouver, British Columbia

V7Y 1C6Canada

Phone: 604-683-1512Fax: 604-676-2725

brent.shirley@gnaconsulting.comjames.mcgregor@gnaconsulting.com

Web: www.gnaconsulting.com