CERTIFICATION AND INTERNAL CONTROL REGIME FOR CROWN CORPORATIONS

Transcription

1 Internal Management Oversight: CERTIFICATION AND INTERNAL CONTROL REGIME FOR CROWN CORPORATIONS Crown Corporation Guidance

2 This document is intended as advice or guidance and as a source of considerations and resource materials on the subject of certification and internal control regimes for Crown corporations. This document does not constitute a Crown corporation legal or policy requirement nor does it establish monitoring obligations on the part of Treasury Board Secretariat. For more information on this guidance document and related Crown corporation guidance materials please refer to the Treasury Board of Canada Secretariat, Governance Directorate website or contact us directly at gd-dg@tbs-sct.gc.ca. Her Majesty the Queen in Right of Canada, represented by the President of the Treasury Board, 2010 Catalogue No. BT33-4/3-2010E-PDF ISBN This document is available on the Treasury Board of Canada Secretariat website at This document is available in alternative formats upon request.

3 Table of Contents 1.0 Introduction Background Overall Approach to Certification and Internal Controls Financial statement risk assessment scoping Certification and internal control regime strategy Documentation and Testing of Internal Controls over Financial Reporting Sustaining Effective Internal Controls Over Financial Reporting Annual Statement of Management Responsibility Conclusion References... 13

4

5 Executive Summary: Certification and Internal Control Regime for Crown Corporations The Treasury Board Secretariat has not made certification of financial statements mandatory for Crown corporations. The question of whether or how far to proceed with the implementation of a certification and internal control regime is a decision that each Crown corporation can make based on an assessment of its operations business and accounting requirements, stakeholder needs and perspectives, and risks. An appropriate Crown corporation certification and internal control regime sufficiently addresses the corporation s own specific risks and operating environment, recognizing that a one size fits all approach is not realistic given the varied nature of Crown corporations. The overall objective of an effective certification and internal control regime is to support management of an entity and to provide assurance that financial information and financial reports are reliable. This assurance means that transactions are properly authorized, financial records are properly maintained, assets are safeguarded from the risk of waste, loss, abuse, fraud or mismanagement, and that applicable laws, regulations and policies are complied with. The first step a Crown corporation should undertake when establishing a certification and internal control regime is to review its financial statements to identify key risk areas and associated key controls that should be assessed as part of the internal control regime. This financial statement risk assessment is typically accomplished through a scoping exercise which provides a risk-ranked listing of potential control areas for inclusion in the internal control regime. Based on the results of this scoping exercise and the types of risks being mitigated, a corporation s management will normally be able to propose to the board of directors the nature and number of entity-level key control areas, business process key controls, general computer key control processes, and disclosure key control processes and their associated risks which might be included in its internal control regime. It is also suggested that management develop and align a potential risk rating for each such control process for discussion with the corporation s board. A Crown corporation may then decide to document its proposed certification and internal control regime strategy and its identified key controls and key risks that will be incorporated into the strategy (i.e., what will be included in the in-scope exercise and covered by the Crown corporation s planned approach for internal control). Based on standard practice in private sector 1

6 businesses, the following three areas should be assessed in a Crown corporation internal control regime: Entity-level controls; Financial statement closing and reporting process; and Disclosure controls in relation to information to be provided in the annual report (including financial statements), the corporate plan and quarterly financial reports. It is also suggested that each Crown corporation document and assess the key control activities in high risk processes (either business processes or general computer control processes) identified through its scoping exercise. For these in-scope processes, Crown corporations may document (typically through a combination of process narrative/flowchart descriptions and a detailed accompanying control matrix) and assess the effectiveness of the key control activities in each process. The documentation and assessment approach taken by the Crown corporation may be indicated in its internal control regime strategy. A Crown corporation that implements a certification and internal control regime may decide to insert a statement of management responsibility in its annual report, in which the chief executive officer (CEO) and chief financial officer (CFO) attest to the financial statements and the presence and effectiveness of a system of internal controls over financial reporting and disclosure controls and processes. Depending on the unique circumstances of the corporation, a board of directors has the prerogative to determine the nature of the certification and internal control strategy and regime to be instituted. 2

7 1.0 Introduction Certification of the effectiveness of internal controls over financial reporting (ICFR) is not mandatory for Crown corporations. Federal Crown corporations that decide to implement a certification-based approach through an internal control regime may find this document useful. The question of whether, or how far, to proceed with the implementation of a certification and internal control regime is a decision that each Crown corporation board of directors will make for itself based on an assessment of its operations business and accounting requirements, stakeholder needs and perspectives, and risks. Depending on the organization s individual circumstances, a tailored regime (which ensures, for example, that risks are regularly reviewed and mitigation strategies updated as necessary) could be used. 2.0 Background Parliament and Canadians expect the federal government to be well managed with prudent stewardship of public funds, safeguarding of public assets, and effective, efficient and economical use of public resources. They also expect reliable reporting that provides transparency and accountability for how government spends public funds to achieve results for Canadians or, in the case of non-appropriated organizations, how effectively they manage their operations and earn income. The overall objective of an effective certification and internal control regime is to support management of an entity and to provide assurance that financial information and financial reports are reliable. This assurance involves determining whether the organization s transactions are properly authorized, financial records are properly maintained, assets are safeguarded from the risk of waste, loss, abuse, fraud or mismanagement, and that applicable laws, regulations and policies are complied with. Certification refers to the requirement that senior officers (usually the CEO and CFO) of a corporation certify or attest, by signature, that they have discharged certain responsibilities, which include confirmation of the effectiveness of internal controls over financial reporting. Normally such certifications are included in a statement of management responsibility that is disclosed with the financial statements of an entity. For departments and agencies, one way the Canadian government ensures reliable reporting is through the use of the Policy on Internal Control, 1 which details the roles and responsibilities of 1. Policy on Internal Control, Treasury Board. This policy applies to all departments as defined by section 2 of the Financial Administration Act. Thus, it does not apply to Crown corporations. 3

8 various federal players in ensuring that risks relating to the stewardship of public resources are adequately managed. In the private sector, certification of the effectiveness of ICFR has been adopted by both the United States (Sarbanes-Oxley Act and Securities Exchange Commission regulations) and the Canadian Securities Administrators 2 (National Instrument , Certification of Disclosure of Issuers Annual and Interim Filings). The Review of the Governance Framework for Canada s Crown Corporations, published in 2005, makes the following statements of principle and commitment: Measure #24 In principle, the government supports the use of a certification regime adapted to the reality of public institutions. The Treasury Board of Canada Secretariat will examine, in consultation with Crown corporations, the development of a certification regime that would be applicable to all Crown corporations. Consultations with Crown corporations highlighted their widely different perspectives and requirements in relation to certification, depending on the size and complexity of each organization s operations. A number of the larger Crown corporations had already begun a process potentially leading to the introduction of a certification and internal control regime and eventually determined that the costs outweighed the benefits for their particular organizations. Other smaller organizations perceived little need at that time to spend the additional resources required to implement a certification regime. A few Crown corporations adopted different approaches, for example, a cyclical, risk-based review approach to the management of their internal controls. Based on input from Crown corporations and the Auditor General, TBS determined not to make it mandatory for Crown corporations to introduce a certification and internal control regime. The board of directors and management of each Crown corporation have a fundamental responsibility to achieve effective and efficient operations and reliable financial reporting. Reasons why Crown corporations might wish to implement a certification and internal control regime include: To meet the expectations of Canadians that public resources are used in an efficient, effective and economical manner; 2. The Canadian Securities Administrators (CSA) is a voluntary umbrella organization of Canada s provincial and territorial securities regulators whose objective is to improve, coordinate and harmonize regulation of Canadian capital markets. 4

9 To strengthen management s responsibility for the accuracy, completeness and reliability of Crown corporation financial reporting; To encourage the development, documentation and maintenance of effective internal controls over financial reporting; and To encourage the development of effective disclosure controls and procedures related to other key Crown corporation financial reporting requirements. It is a best practice of boards of directors (and/or audit committees) to review and challenge the reasonableness of the Crown corporation s certification and internal control regime in light of the risks, context and business needs of the Crown corporation. 3.0 Overall Approach to Certification and Internal Controls An appropriate certification and internal control regime is one that addresses a Crown corporation s own specific risks and operating environment, recognizing that a one size fits all approach would not be realistic given the varied nature of Crown corporations. To decide what measures will be taken as part of a certification and internal control regime, a Crown corporation should first determine the nature of the assessments required in order to provide the CEO and CFO with sufficient assurance so that they can attest to the financial statements in the statement of management responsibility. (see section 6.0 below). This document describes the key elements of a risk-based approach to managing internal controls that Crown corporations may wish to consider once the corporation decides to establish an internal control regime. 3.1 Financial statement risk assessment scoping The first step that a Crown corporation should take if it decides to establish an internal control regime is to review its financial statements to identify and assess key risk areas that could be covered within the scope of the regime. This financial statement risk assessment is typically accomplished through a scoping exercise, with the anticipated output being a risk-ranked listing of potential control areas for inclusion in the internal control regime. Using this risk-ranked listing, a Crown corporation can identify the higher risk areas that would be covered within its internal control regime. 5

10 When scoping is undertaken, it is suggested that Crown corporations consider the following four areas for internal control purposes: 1. Entity-level controls Entity-level controls support the tone at the top for an organization. They include controls related to the control environment, risk assessment process, information/communication and monitoring activities of the organization. During scoping, a Crown corporation identifies relevant entity-level controls to be included in its internal control regime. Typically, this encompasses organization-wide controls that could affect or influence the reliability of financial information that forms a part of business and general computer processes. As part of scoping entity-level controls, the Crown corporation also considers identifying the level of monitoring controls that exist across the Crown corporation, as this information may provide valuable insight when determining which types of higher level monitoring controls can be relied upon within the internal control regime. 2. Business process control Scoping of business process controls, including application controls, typically begins with the financial statements and supporting trial balance of the organization. The goal of scoping is to identify the financial statements material classes of transactions, which are often grouped into business processes. A variety of quantitative and qualitative factors may be considered to determine whether or not the material classes of transactions/business processes should be in scope for internal control: Quantitative The dollar value of the financial statement line items/material classes of transactions may be considered to determine the significance/criticality of the related business processes. To assess the dollar value, a percentage of financial statement audit materiality is typically used. Qualitative In addition to the quantitative value of classes of transactions, other factors may be considered when assessing which business processes to include as part of the in-scope exercise for internal control efforts. These factors include the complexity of related accounting policies/procedures, susceptibility of the process to manipulation or fraud, extent of judgments or estimates required within the process, degree of change in the process, history of errors and potential exposure to public scrutiny. After assessing the classes of transactions/business processes for both quantitative and qualitative factors, it is suggested that an overall risk rating be given to each. This rating can be used to determine which classes of transactions/business processes may be assessed as part of the internal control regime. 6

11 3. General computer controls For each of the applications/systems identified as supporting the business processes that are inscope (see section 1.2 above), Crown corporations would determine the general computer control processes that are in place corporation-wide to support these applications/systems. Typical areas of general computer controls include program development, program changes, access to programs and data, and computer operations. 3 Once identified, an overall risk rating can be determined for each unique general computer control process. This rating may be used to determine the priority for addressing general computer control processes within the Crown corporation s internal control regime. 4. Disclosure controls A Crown corporation s internal control regime should cover disclosure controls related to the Crown corporation s annual report (including financial statements), the corporate plan and quarterly financial reports. Crown corporations may scope in the processes and internal controls that are used to ensure the appropriate disclosure and reliability of information in these documents. 3.2 Certification and internal control regime strategy Based on the results of scoping, the entity-level control areas, business processes, general computer control processes and disclosure control processes which should or should not be included in the internal control regime will be more apparent. Board members may ask the corporation s management to develop initial risk ratings for each of these processes. In light of the data, each Crown corporation should be well placed to document its proposed internal control regime strategy (i.e. what will be in scope and what the Crown corporation s planned approach for the internal control program will be). Based on experiences in the private sector and other areas with similar internal control regimes, at least, the following three areas should be assessed in a Crown corporation s internal control regime: Entity-level controls; Financial statement closing and reporting process; and Disclosure controls over the annual report (including financial statements), corporate plan and quarterly financial reports. 3. Program Development, Program Changes, Access to Programs and Data, and Computer Operations are the four general computer control areas identified in Control Objectives for Information and related Technology (COBIT) with respect to the Sarbanes Oxley Act (SOX). 7

12 In addition, unless there are mitigating circumstances, Crown corporations would document and assess control activities in other high risk processes (either business processes or general computer control processes) identified through their scoping exercises. Of course, higher risk business processes will vary depending on the nature of the Crown corporation, so each Crown corporation may wish to document its rationale for inclusion or exclusion of business processes in its internal control strategy. Higher risk general computer control processes typically include access to programs and data, program development and program changes, but these could also vary between Crown corporations, depending on the nature of the Crown corporation s systems environment and the reliance thereon for financial reporting. For processes that are not deemed to be high risk through the scoping exercise, Crown corporations can determine what measures, if any, are required to support the internal control regime. Instead of completely documenting and assessing key controls that are anticipated for higher risk areas, different approaches may be considered for lower risk areas, such as: Documenting key controls but adopting a reduced assessment approach (e.g., more limited testing or sampling of internal controls or testing over a multi-year rotation plan); or Relying on higher level or centralized, corporate level monitoring controls that management may use (these may have been identified through entity-level control scoping or within the higher risk business processes). 4.0 Documentation and Testing of Internal Controls over Financial Reporting For in-scope business, general computer control, entity-level control and disclosure control processes, Crown corporations may choose to document (i.e. typically through a combination of process narrative/flowchart descriptions and a detailed accompanying control matrix) and assess the key control activities in each process. The documentation and assessment approach taken by a Crown corporation should be set out in its internal control regime strategy. In the private sector, a top-down approach (i.e. starting at the entity-level and then moving down to the general computer controls and lastly to the detailed business processes) has been found to be a resource efficient strategy in assessing internal controls. Note that other organizations have found it worthwhile to complete a review of the design effectiveness of entity controls and to implement a pilot project with one or more processes before documenting and assessing all in-scope processes. In situations where entity level controls are found to be strong, this should reduce the overarching risks to be managed in relation to the reliability of financial statements and perhaps reduce the levels of testing and sampling in business processes. Use of a pilot project allows for a better understanding of the required process and time implications for completing the required documentation and assessment activities. Drawing on lessons learned 8

13 from assessing the design effectiveness of entity level controls, a Crown corporation may be better positioned to efficiently identify where key controls need to be comprehensively documented and assessed. The documentation and assessment approach that a Crown corporation uses for its internal control regime ideally, would satisfy the following: The CEO and CFO have sufficient evidence of rigour in the management of internal controls over financial reporting to enable them to sign the statement of management responsibility, including where the statement includes explicit certification of the effectiveness of ICFR; The board of directors (and/or audit committee) has sufficient assurance that the Crown corporation s internal control regime adequately addresses the risks faced by the corporation; and An efficient, effective and ongoing internal control monitoring program is in place. An important objective of the assessment process is to ensure that the nature of the identified risks aligns appropriately with the associated control or control activity. Usually, this alignment can be validated by documenting the key controls and control processes and considering the design effectiveness of the control environment. This confirmation is a fundamental basis for determining whether an internal control regime is effective, is maintaining control and is mitigating risks. An assessment of the effectiveness of internal controls over financial reporting normally includes an assessment of both the design of these controls and their operating effectiveness. These are the sequential steps of standard assessments of effectiveness of internal controls as practiced in the private sector and other areas. If deficiencies are identified in the documentation and design and operating effectiveness assessment process, Crown corporations should undertake a process to identify the severity/importance of the deficiencies and put in place appropriate remediation plans to address material weaknesses, which are defined as follows: A material weakness means a deficiency, or a combination of deficiencies, in internal control over financial reporting, such that there is a reasonable possibility that a material misstatement of the reporting corporation s financial statements will not be prevented or detected in a timely manner. As noted in the statement of management responsibility, material weaknesses and management s corresponding remediation plans (including timelines for remediation) may be disclosed. 9

14 Reporting As previously noted, a Crown corporation should identify any significant scope exclusions from its internal control regime (e.g. subsidiaries, locations, variable interest entities). In addition, any material weaknesses may be disclosed along with management s action plans and timelines for resolving the deficiencies, addressing control issues or mitigating the risks caused by the deficiencies. It is also suggested that a Crown corporation provide, along with the statement of management responsibility, a brief description of the overall approach taken by the corporation for its internal control regime. This can be attached to the statement of management responsibility along with its financial statements. Roles and responsibilities It is the board of directors that ultimately determines whether the introduction of a certification and internal control regime is necessary and, if so, identifies the overall requirements of the system. In such cases, the board is expected to exercise an oversight role in relation to the plans and results of effectiveness assessments, including any necessary adjustments to the regime. At key strategic points in the process, the Crown corporation s board of directors (and/or audit committee) would review management s approach to internal control to determine whether they are satisfied that the scope and approach adequately support the statement of management responsibility, given the context and operating realities of the Crown corporation, and that the results appropriately reflect the internal control environment of the corporation. Typically, a chief financial officer is expected to lead and coordinate the management of the corporation s certification and internal control regime as a strategic advisor and in support of the executive management role of the CEO. Both the CEO and CFO are responsible for signing a statement of management responsibility instituted as part of the certification and internal control regime. Other senior managers who have program responsibilities would also be key contributors to the management of the internal control regime within their area of responsibility. In addition, specific expertise should be leveraged to ensure the overall integrity of the assessment of the effectiveness of internal controls, including in the areas of internal audit and information technology. Ultimately, the Crown corporation s CEO and CFO need to decide when they are ready to sign off on a statement of management responsibility (see section 6.0 below) if the board of directors decides to establish a certification and internal control regime. In this regime, Crown corporations may also consider implementing lower level or additional internal sign-offs on the 10

15 effectiveness of internal controls in which the organization s key managers also certify the effectiveness of internal controls within their area of responsibility. This is emerging as a best practice in the private sector. Control framework It is suggested that a Crown corporation identify, within its internal control regime strategy, the overall control framework that is being used for its internal control regime. The control framework provides a structure that enables a Crown corporation s internal control efforts to be undertaken in an organized and efficient manner. In other sectors and areas, the COSO 4 framework has been widely accepted as the standard for similar certification initiatives. This normally encompasses five areas or components related to internal control, including: 1) control environment; 2) risk assessment; 3) control activities; 4) information and reporting; and 5) monitoring. Similarly, COBIT 5 has become the de-facto standard for IT-related controls in an internal control regime. Given the approach, supporting information and tools related to these frameworks, it would be worthwhile for a Crown corporation to explore the benefits of using these frameworks. 5.0 Sustaining Effective Internal Controls Over Financial Reporting Once the initial year s internal control work (i.e. scoping, documentation and testing of controls and reporting) is completed, there will be an ongoing need to ensure documentation is kept upto-date and that retesting is conducted periodically to support ongoing internal control reporting. To that end, a Crown corporation may wish to consider a program of ongoing maintenance/ sustainability activities as part of its internal control strategy (note that a Crown corporation may be better positioned to develop its maintenance/sustainability strategy after completion of the initial year s internal control activities). 4. The Committee of Sponsoring Organizations of the Treadway Commission (COSO) is a voluntary private-sector organization, established in the United States, dedicated to providing guidance to executive management and governance entities on critical aspects of organizational governance, business ethics, internal control, enterprise risk management, fraud, and financial reporting. COSO has established a common internal control model against which companies and organizations may assess their control systems. Executive Summaries of COSO guidance are available. 5. The Control Objectives for Information and related Technology (COBIT) is a set of best practices (framework) for information technology (IT) management created by an IT governance professional association, the Information Systems Audit and Control Association (ISACA), and an IT think tank, the IT Governance Institute. COBIT provides manager, auditors, and IT users with a set of generally accepted measures, indicators, processes and best practices to assist them in maximizing the benefits derived through the use of information technology and developing appropriate IT governance and control in a company. Further information on COBIT can be found on the ISACA website. 11

16 Common maintenance strategies include ensuring that accountability for periodic (e.g., annual or semi-annual) review and update of the control documentation is assigned to a designated lead or process owner. In addition, conducting targeted risk-based testing throughout the year (e.g. quarterly) is a common sustainability strategy. Some organizations are using technology to maintain control documentation, track testing and report on progress/results to address their ongoing oversight in this area. Finally, to support sustainability, many organizations seek to integrate aspects of their internal control projects with, and leverage the results of, the organization s enterprise risk management and internal audit processes. 6.0 Annual Statement of Management Responsibility A Crown corporation that implements a certification and internal control regime may decide to include a statement of management responsibility with its financial statements in its annual report. Ideally, the CEO and CFO would certify the following in the statement: That the CEO and CFO have reviewed the financial statements, and based on their knowledge and having exercised reasonable diligence, the financial statements fairly present in all material respects the position, results of operations and cash flows of the Crown corporation, as of the date specified, and for the periods presented in the financial statements; That the CEO and CFO have established and maintain effective internal controls over financial reporting, which includes safeguarding assets and ensuring compliance with applicable laws and regulations; and that the Crown corporation has designed internal controls over financial reporting and disclosure controls and procedures (for its annual report, corporate plan and quarterly financial reports) that are appropriate to the circumstances of the Crown corporation That the CEO and CFO conducted an assessment of the effectiveness of the corporation s internal controls over financial reporting and disclosure controls and procedures. Based on the results of this assessment, there is reasonable assurance that internal controls over financial reporting, as of the date specified, were effective and no material weaknesses were found in the design or operation of the internal controls over financial reporting, with the exception of: Description of a material weakness; Description of the remediation plan to address the material weakness; and The completion date or expected completion date of the remediation plan. Any significant scope exclusions from a Crown corporation s certification and internal control regime (e.g. subsidiaries, locations, variable interest entities) may be identified. 12

17 It should be noted that alternate types of management disclosure statements may be used by Crown corporations depending on the form of internal control over financial reporting they adopt. 6 Any additional summary information to be disclosed related to the assessment and management of the internal control regime can be attached to the statement of management responsibility. 7.0 Conclusion The introduction of a certification and internal control regime requires additional outlays of resources and effort on the part of the organization, particularly in the short term when such a system is being designed and implemented. However, in the medium to long term, such a regime can provide the board of directors and management with substantial assurance that the financial statements fairly present the corporation s operational results and that any weaknesses in financial reporting have been identified. Thus far, most Crown corporations have not introduced a certification and internal control regime, based on an assessment that the risks of financial misstatement are relatively minor in relation to the costs associated with putting the regime in place. However, recent financial disclosure requirements may augment the desire to reduce such risks still further. For example, the Standard on Quarterly Financial Reports for Crown Corporations, which takes effect on April 1, 2011, requires the CEO and CFO to sign a statement that the quarterly financial reports present fairly in all material respects the financial position, results of operation and cash flows of the corporation. The implementation of some form of internal controls over financial reporting and disclosure controls and procedures is one way to minimize the risk of financial misstatements. 8.0 References National Instrument : Certification of Disclosure in Issuers Annual and Interim Filings, Ontario Securities Commission. October Sarbanes-Oxley Act of 2002, H.R Policy on Internal Control (for federal departments and agencies), Treasury Board Secretariat. 6. The 2009 Canada Deposit Insurance Corporation Annual Report is an example of an alternate disclosure format. 13