Compliance: New rules, new risk

On Friday, March 10, it can only be imagined that countless managers and CIOs of Canadian public companies breathed a sigh of relief.

That day the Canadian Securities Administrators (CSA) announced its intention to propose an alternative approach to reporting on internal control over financial reporting.

While the new direction will feature several elements (with more information to come from the CSA later this year), the one receiving the most attention is the intended elimination of the need for auditor attestation of an issuer’s reporting on internal control. (There were no material changes to management’s responsibilities.) Without auditor attestation, initial marketplace thinking was that management, including CIOs, could take a more relaxed approach to certification efforts. But as companies gain a better understanding of the impact of removing auditor attestation, the euphoria over this change will start to disappear.

The wake-up call

Consider the following scenario:

Sue, a fictional director and audit committee member, sits on two different boards – one is a publicly-traded company complying with the U.S.-based Sarbanes-Oxley Act (SOX), the other is a Canadian filer required to follow the CSA rules.

When it comes to her comfort level in approving the Management Discussion and Analysis Document (MD&A) for the SOX filer, she has an audit opinion on internal controls on which to rely.

For the Canadian filer, however, she has no such comfort. She only has knowledge of management’s process for signing off on the CSA requirements and the audit committee’s oversight and monitoring upon which to rely. She is, therefore, likely to ask “Given the civil liability rules, how robust is that process?”

What this means for CIOs

John is the fictional CIO of the company above that must comply with the Canadian CSA rules. With the potential move away from auditor attestation, the general systems control (GSC), for which John is responsible, will no longer bear the scrutiny of an external audit. Who will the audit committee, CEO and CFO turn to for assurance? Given that John influences and controls the applications and GSC that permeate the organization and its internal control environment, he is likely to be called upon for answers on the state of IT internal controls over the financial reporting environment.

With the organizational reliance on IT and the vast range of internal controls throughout the business, John is likely to become a large part of the due diligence process that management needs to demonstrate to the marketplace and the CSA.

Experience suggests that an unreliable IT control environment directly impacts an organization’s current and future certification activities.

To ensure the CEO, CFO and board can complete their sign-offs, John needs to work with management to implement a robust certification process. In 2006 he will need to ensure the required IT controls are suitably designed. In 2007, John will also need to ensure that the IT controls operate effectively. He must be prepared to help management understand, test and document the organization’s application controls and GSC. He will also need to help develop and implement a sustainable process for ongoing compliance.

Learning from past mistakes

To help his organization with improved internal control compliance activities and have some control over his scope, John must understand the role he can play going forward and use the lessons learned from his U.S.-based counterparts, such as :

• Leverage a risk-based approach to focus effort and evidence to scaled level of what matters most. (The CSA risk-based approach may be more rationale-based and less formula/numeric intensive than its U.S. counterpart.);

• Ensure finance and business teams understand the role and requirements of IT in certification;

• Fully integrate business and technology teams for certification;

• Act now to complete either the assessment activities or corrective actions

• Avoid using too many, too few, or irrelevant IT controls;

• Try to shoehorn a generic IT control framework rather than customizing it;

• Avoid unsustainable quick-fix solutions.

Three key considerations

While there are no hard and fast rules, organizations complying with the CSA requirements need to build an efficient and effective certification process. John needs to ensure this process will provide sufficient assurance to the CFO, CEO, audit committee and board that there are no material weaknesses in the IT control environment over financial reporting. John may want to consider the following three recommendations:

1. Develop a risk-based approach to IT internal control compliance;
2. Apply this risk-based approach to application controls and GSC; and,
3. Determine how to integrate the risk-based approach into the organization’s overall sustainable compliance program.

Step 1: Develop an IT risk-based approach

A risk-based approach enables John to focus his efforts on areas of high risk and reduce attention on low risk areas. To develop this approach, John must gain an understanding of, and risk rate, his IT control environment and control objectives.

By asking a series of questions, John can classify the standard areas of IT risk as “high, medium or low”, and determine which ones need to be included in his certification scope. The IT management and operational control areas he should consider include: IT management controls, program development/acquisition, program and infrastructure changes, operations and access to data and systems. Some questions he may want to ask include:

Management level context questions such as:

– How does executive management know that IT is doing its job?

– What are the indicators of the IT operation’s success/burn rate?

– How do executives know if IT is meeting business needs?

– What is the awareness of IT control requirements?

IT operational questions such as:

– How old, complex and stable is the technology environment that supports the overall financial reporting process (including systems that initiate transactions)?

– Are there recent significant changes in IT leadership, structure, technology or processes?

– How stable and robust are the IT operational processes and related performance measures?

– What is the nature of the process’ s deployment (centralized/decentralized)?

– What is the process’s impact on internal controls over financial reporting?

By performing and substantiating this approach John begins to build an internal controls assessment program, customized and focused on key areas of concern. He can tailor the work effort adopted and the amount of evidence collected for each objective based on the risk ranking per the certification project standards.

Step 2: Apply the IT risk-based approach

Next, John works with certification team members to identify relevant applications included in the overall certification process. They are typically related to the initiation, processing and reporting of financial reporting matters. Within these applications John’s team can help the certification team identify and apply a risk assessment to key application based on two factors:

• Nature of the key application control (embedded or configurable)

• Type of key application control (inherent/customized)

Addressing these factors, John is again able to align effort and evidence with the risk rating. For instance, a standard key application control within an off-the-shelf software package is generally of lower inherent risk and requires a lesser amount of assessment/evidence than that required for a highly developed solution that users configure (pricing tables) or with customized logic (revenue formulas based on statistical models).

Knowing which key applications are included in the certification process, John can now focus on the underlying GSC related to the key applications. Within the GSC area, John can turn his attention to scaling the assessment activities and level of testing/evidence to the degree of risk as defined in the IT risk-based approach. For example, IT operations that have limited or no batch processing and no shift transitions will likely find that these controls are associated with lower risk ratings and thus lower scaled documentation and testing.

Step 3: Develop a sustainable model

The assessment process is a lot of work and it is not going away. John should therefore consider how to ease the work of today as well as that of the future. He needs to give thought to a sustainable working model for internal controls operation and assessment, considering current remedial requirements and future sustainability or tradeoffs. By approaching remediation from an operational perspective and slightly extending the effort, he may be able to achieve certification compliance while optimizing business processes and building them to satisfy other additional business requirements.

A sustainable model should integrate ongoing compliance activities within the daily business operations. As a result, the business activities are tailored to meet the business risks and needs (including compliance adherence, internal controls assessment and evidence generation), as well as provide ongoing compliance and management reporting for the effectiveness of internal controls.

Admittedly, it may not be possible to develop a sustainable process for every control area within the current year. The trick is to ensure that informed and collaborative decisions are made with regards to what is an immediate focus and what can wait.

In developing a sustainable compliance model, John should contemplate how to build the assessment of controls into ongoing operations by considering such steps as:

• Introducing a customized control framework, such CobiT, ISO17799, ITCG, etc.;

• Building tailored IT processes based on IT process models (ITIL, CMMI, etc.) and integrating a customized control framework;

• Integrating other business needs and compliance requirements beyond certification into a consolidated solution;

• Replacing manual controls with application controls to achieve efficiencies;

• Baselining application controls with year-over-year effort dispersion; and

• Embedding internal controls compliance into process changes, projects and systems solutions prior to rollout.

The sanity check

By working closely with the rest of the management group, John is able to ensure that his documentation and testing guidelines are consistent with the organization’s approach, making it less likely that he will expend unnecessary resources or not do enough work to support the findings.

By working with the others, John is also able to help formulate a solid strategy that will deliver a higher level of comfort over IT controls to the CFO, CEO, audit committee and board. In areas of greater risk, he may want to consider working with or consulting other groups (internal or external) to obtain an appropriate level of comfort.

Using this process as a foundation, John is able to record and document properly the rationale behind his approach and gain specialist assistance where required.

A CIO’s work is never done

As part of the organizational leadership, John needs to understand and deliver on the certification expectations of the board, audit committee, CEO and CFO. He needs to provide a consistent and reliable IT processing environment and assurance/evidence of its effectiveness. He will be called upon to aid in developing and supporting solutions to manage current and future organizational or departmental needs, in terms of certification and beyond. In summary: John is responsible for delivering on these expectations. Will he just meet the mark, or take the opportunity to be an innovative and strategic solution provider for his organization?

QuickLink: 064742

–Doug Wilkinson is a partner with Deloitte’s Enterprise Risk practice focused on IT risk and assurance services. He can be contacted at

–Christopher O’Connor, a senior manager with Deloitte’s Enterprise Risk practice, specializes in IT risk and assurance. He can be contacted at