Internal Controls Over Financial Reporting

November 2010

Ernst & Young – Speaker Introductions

► Stephen McIntyre, Risk Advisory Services

► Hassan Qureshi, IT Risk Advisory Services

► Marco Perron, Risk Advisory Services

Agenda for the day

► Session 1 (9:00 – 10:15) – Internal Controls over

Financial Reporting (ICFR)

► Session 2 (1:30 - 2:30) – Panel discussion

► Session 3 (3:00 – 4:00) – Internal Controls in an

IT environment and reporting to audit

committee’s.

Session #1: Agenda

► How did we get here?

► The Policy on Internal Control (PIC)

► Internal Control over Financial Reporting (ICFR)

► The Top Down, risk based approach

► Entity Level Controls

► IT General Controls

► Transaction Level Controls

► What lessons can we learn from other internal control

projects?

How did we get here?

Internal control certification - How did we get here?Overview

► The requirement for management to provide certification

over the effectiveness of internal controls is not new

► Certifications exist in many formats, and requirements

can’t be generalized from one standard to another

► Internal controls are prevalent in more than one area of

the organization (i.e. IT, operations, finance, HR).

► A continuing focus on accountability and assurance to

stakeholders

Internal control certification - How did we get here?Industry Models - US

► The first significant focus on internal control

certification related to financial reporting was the

Sarbanes Oxley Act of 2002 (SOX 404).

► SOX represented the US government’s

response to a market in crisis and was put in

place to provide investors with additional

assurances over an entities health.

► SOX required management and the company’s

auditor to attest to the certification over internal

control effectiveness.

Internal control certification - How did we get here?Industry Models - Canada

► Following the lead of the US markets, publically reportable

enterprises reporting on Canadian listings were soon required to

comply with a SOX type equivalent standard.

► National Instrument 52-109, similarly to SOX 404, required

management (CEO/CFO) to attest to the effectiveness of internal

controls over financial reporting.

► Unlike SOX, the Canadian standard did not require the auditor to

provide an opinion over control effectiveness.

► This approach allowed for a more pragmatic assessment of internal

control effectiveness and placed greater flexibility in the hands of

management when concluding on control effectiveness.

Internal control certification - How did we get here?Other models - UK

► Publically listed companies in the UK are required to follow the

“Turnbull Guidance on Internal Control” which sets out the best

practices for internal controls.

► The directors of the company are required to complete annual reviews

of the group’s system of internal controls and report the results to the

shareholders.

► The review should cover financial, operational, and compliance/risk

controls.

Internal control certification - How did we get here?Government Models - UK

► Industry hasn’t been the only sector with internal control reporting

responsibilities.

► In July of 2005, Her Majesty’s Treasury in the UK published

“Corporate governance in central government departments: Code of

good practice”.

► “The board should ensure that effective arrangements are in place to

provide assurance on risk management, governance and internal

controls. In this respect the board should be independently advised

by: (1) an audit committee chaired by an independent non-executive

member; and (2) an internal audit service operating in accordance

with Government Internal Audit Standards.”

Internal control certification - How did we get here?Government Models - UK

► The Financial Reporting Manual provides additional disclosure

requirements for government departments as an Annex to the

financial statements.

► Scope of responsibility of the accounting officer

► The purpose of the system of internal controls

► Capacity to handle risk

► The risk and control framework

► Review of effectiveness

Policy on Internal Control (PIC) – Who, What, When, Why and How

November 2010

Policy on Internal Control (PIC)Who is responsible?

► Primary responsibility for reporting of compliance under PIC is

allocated to the Deputy Head of the Department.

Ensuring the establishment, maintenance, monitoring and review of

the departmental system of internal control to mitigate risks in the

following broad categories:

► The effectiveness and efficiency of programs, operations and

resource management, including safeguarding of assets;

► The reliability of financial reporting; and

► Compliance with legislation, regulations, policies and delegated

authorities.

Policy on Internal Control (PIC)What is it?

PIC defines the objectives and expected results as follows:

► Risks relating to the stewardship of public resources are adequately

managed through effective internal controls, including internal

controls over financial reporting.

► An effective risk-based system of internal control is in place in

departments and is properly maintained, monitored and reviewed,

with timely corrective measures taken when issues are identified.

► Risks relating to the stewardship of public resources are adequately

managed through effective internal controls, including internal

controls over financial reporting.

Policy on Internal Control (PIC)What is it?

► The Policy on Internal Control is not a

“make work project”.

► Underlying assumption that key controls

already exist in the organization to mitigate

key risks.

► The annual assessment is the evidence of this effective operation of

key controls and an opportunity to share insight to the remediation or

change strategy for those processes/controls that are not operating as

expected.

Policy on Internal Control (PIC)When?

► The Policy on Internal Control took effect on April 1, 2009 and

compliance with the reporting requirements is being phased in over a

3 year period

► The policy applies to all departments, as defined in section 2 of the

FAA.

Policy on Internal Control (PIC)Why?

► Parliament and Canadians expect the federal government to be well

managed with the prudent stewardship of public funds, the

safeguarding of public assets, and the effective, efficient and

economical use of public resources. They also expect reliable

reporting that provides transparency and accountability for how

government spends public funds to achieve results for Canadians.

► In 2004, the OCG stated that all departments and agencies would be

audited within 5 years. This requirement was not passed into

legislation.

► This was later revised in 2010 with the release of the Policy on

Financial Resource Management, Information and Reporting, which

requires departments take measures to be able to sustain a controls

based audit.

Policy on Internal Control (PIC)How?

► Compliance with the policy will be disclosed within an organizations

public reporting.

► The Deputy Head and the CFO will sign an annual departmental

Statement of Management Responsibility Including Internal Control

Over Financial Reporting, which will preface the departmental

financial statements.

► The results of a department’s annual assessment and action plan are

to be summarized in an annex to the Statement of Management

Responsibility Including Internal Control over Financial Reporting.

Internal Controls Over Financial Reporting

Internal Controls Over Financial Reporting (ICFR)

► Internal control is term that carries a broad definition.

► Internal controls over financial reporting are a sub-set of the broader

suite of internal controls that exist within an organization and

specifically focus on the activities which prevent and/or detect errors

in financial reporting.

► Errors are the result of risks, which can be identified and mitigated by

controls.

► Effective internal controls are required to appropriately mitigate and

reduce risks, the underlying requirement of the Policy on Information

Resource Management, Information and Reporting.

Internal Controls Over Financial Reporting (ICFR)

► ICFR can provide the reader of financial statements with:

► Assurance that financial statements fairly reflect all financial

transactions;

► Assurance that all transactions are recorded in accordance with

applicable policies, directives and standards;

► Assurance that transactions are carried out in accordance with

delegated authorities;

► Assurance that financial resources are safeguarded against

material loss due to waste, abuse, mismanagement, errors, fraud,

omissions and other irregularities;

Internal Controls Over Financial Reporting (ICFR)

► In order to assess internal controls over financial reporting, a

framework is required.

► The Committee of Sponsoring Organizations (COSO) framework has

been the most consistently applied internal control framework

worldwide and is comprised of 5 inter-related components:

► Control Environment

► Risk Assessment

► Control Activities

► Information and Communication

► Monitoring

Internal Controls Over Financial Reporting (ICFR)

► There are two key elements to control effectiveness, control design

and control operation.

► Design effectiveness: effective control design is a reflection of the

right person, using the right information to make the right decision, to

mitigate identified risks.

► Operational effectiveness: effective operation is the consistent

application of an effectively designed control, without exception

Top Down, Risk-Based Approach

Top down, risk-based approach

► The overall objective of an effective system of internal controls over

financial reporting is to provide an effective and efficient means of

auditing the financial results.

► Equally important is the efficiency and effectiveness of the internal

control and risk identification strategy.

► One of the most common pitfalls is the over identification of risks

related to the organization’s financial reporting.

► Using a top down, risk-based approach will address the requirements

of ICFR while maintaining efficiency throughout the organization.

Top down, risk-based approachEntity Level Controls

► Using the COSO framework as a guide, the control environment plays

a significant role in the overall internal control system.

► Entity level controls (ELC), provide the “tone at the top” of the

organization, and as a result directly or in-directly impact all

underlying controls.

► Effective ELC’s can provide excellent leverage to reduce testing at

lower levels. Ineffective ELC’s can spell disaster for all underlying

controls.

► ELC’s exist in two forms, direct and indirect.

Top down, risk-based approachEntity Level Controls

► Direct entity level controls monitor specific business and financial

risks, and operate at the level of precision necessary to detect

breakdowns in the application of an organization’s policies and

procedures.

Example: CFO and Director of Finance review the quarterly and annual financial

statement and related disclosures.

► Indirect entity level controls help define the control consciousness of

an organization without directly mitigating any one specific financial or

operational risk.

Example: An organizational code of conduct distributed via the intranet

Top down, risk-based approachEntity Level Controls

Top down, risk-based approachEntity Level Controls

► Benefits from leveraging effective ELC’s:

► Reduce the extent of reliance on transaction level controls

► Increase the effectiveness of internal controls through leveraging

senior and experienced personnel

► Better define and communicate the expectations of management

across the organization (i.e., tone at the top)

► Reduce redundancy in controls performed across the organization

at different levels

Top down, risk-based approachEntity Level Controls

Top down, risk-based approachDesign of transaction level controls

► The starting point for assessing the effectiveness of the

transaction level controls is defining what business

processes are in scope.

► In order to assess the ICFR, you need to work backwards

from the end objective, which in this case is the financial

statements.

► Step 1 – identify the significant accounts

► Step 2 – associate the significant business processes

► Step 3 – perform a detailed risk assessment

Top down, risk-based approachDesign of transaction level controls – Sig. Accounts

► Determination of what accounts are deemed to be “significant” is a

matter of judgement.

► Guidance exists from the OCG to assist organizations in

determination of significant accounts and follows common practice

throughout private and public sector.

► Assess the materiality of the underlying account results, and assess

the inherent risks related to each account

► A combined risk based approach uses the results of these two

approaches to determine significance of each account presented on

the financial statements.

Top down, risk-based approachDesign of transaction level controls – Sig. Accounts

► Each financial statement account is comprised of financial statement

assertions:

► Existence / Occurrence

► Completeness

► Valuation

► Presentation & Disclosure

► Rights & Obligations

► From a risk based perspective, each assertion by significant account

must be considered to prioritize the extent of identified risks.

► Example: Generally speaking, the risk of completeness is greater for

liability based accounts than asset accounts.

Top down, risk-based approachDesign of transaction level controls – Sig. Processes

► The value associated to each significant account is derived by a

specific set of business process(es). Don’t forget disclosure!

► A significant process can be associated to one specific account or

several accounts across the financial statements.

► In order to effectively and efficiently perform the risk assessment, you

must consider each business process and related transaction

processing from initiation to recording.

► Example: Procurement of a good or service is most commonly

initiated through requisition completed by the end user. If during the

scoping exercise an organization was focused purely on the

traditional “accounting” functions, key risks could be over looked.

Top down, risk-based approachDesign of transaction level controls - Risks

► The key objective in risk identification is to focus on key risks related

to financial reporting (and disclosure).

► Without appropriate identification of the significant accounts, related

assertions and processes, the risk identification process can easily go

beyond the applicable scope of ICFR.

► Ask the question “What could go wrong” specific to the

account/assertion/process.

► Hint: A key risk, if not mitigated by a control (or suite of controls),

could cause a material error to the financial statements.

Top down, risk-based approachDesign of transaction level controls - Controls

► Focus on identifying the key controls related to the identified key risks.

► Each identified key risk must have at least one associated key control.

► Where one key control is associated to several key risks, and is the

only key control associated to those risks, the greater the risk that

control failure could result in a material error.

► Controls can be preventative or detective in nature. Ideally, a mix of

both should be identified.

Top down, risk-based approachOperational assessment of controls

► Once the key controls have been identified, a testing strategy

focusing on the nature, extent and timing must be developed.

► Understanding the objective of each control is critical to performing

operational testing efficiently.

► Key controls can be prioritized for assessment based on individual

risk assessments. These assessments would consider how long this

control has been in place, the person(s) responsible for performing

the control, history of errors in the control and the extent to which an

error would impact the associated risks.

Top down, risk-based approachOperational assessment of controls

► Methodologies on testing control operational effectiveness are

already established.

► The higher the frequency a control is performed, the greater the

population to be tested

► Rule of thumb: 10% of the population to a max of 25

► Establishing the expectations for evidence is critical to the overall

assessment.

► Consistency in the operation of a well designed control is the overall

objective

Lessons Learned

Lessons Learned

► Tone at the top – Lack of executive sponsorship will not only lead to a failure of the

PIC project, but will cause significant repercussions throughout the internal control

evaluation process as the effective operation of entity level controls is critical for

assessment of transaction and IT controls.

► Leverage where appropriate – Although reliance on entity level controls can reduce

the overall extent of work through reliance on lower level controls, the sensitivity of

these “higher level” entity controls may not address the specifically identified risks at

the transaction level.

► Evidence the Operation of ELC’s – Entity level controls, by their nature, exist at

higher levels of the organization. As a result, documentation or evidence of their

operation is often inconsistent in form and frequency. Departments and agencies

should ensure that those controls identified as key to financial reporting are consistently

performed and documented to allow for substantive evaluation when required.

Lessons Learned

► Identify key risks and controls – There’s no prize for having the greatest number of

risks or controls. The more specific and strategic you can be the more efficiently and

effectively you can identify, evaluate and maintain the control system.

► Start early– Private industry implemented SOX 404 in 2004 after several delays

granted by the regulatory bodies. Regardless of the extended time lines it was a sprint

to the finish for most.

► Don’t jump in without a plan– In order to keep PIC from becoming a “make work”

project, organizations need to create a plan that identifies the work to be completed,

the time available to perform the required steps and resource allocation.

► It’s not just a “finance” thing– Although the focus of ICFR is on financial reporting,

actions the organization can directly and indirectly impact the risks and related controls.

Ownership of processes, and ability to identify when something has changed will be the

key to future sustainability of the process.

Lessons Learned

► Living and breathing project– PIC is not a “one time” project. The assessment and

continued monitoring of internal controls (both design and operation) are ongoing and

must remain a living and breathing exercise.