On Friday, March 10, it can only be imagined that countlessmanagers and CIOs of Canadian public companies breathed a sigh ofrelief.
That day the Canadian Securities Administrators (CSA)announced its intention to propose an alternative approach toreporting on internal control over financial reporting.
While the new direction will feature several elements (with moreinformation to come from the CSA later this year), the onereceiving the most attention is the intended elimination of theneed for auditor attestation of an issuer’s reporting on internalcontrol. (There were no material changes to management’sresponsibilities.) Without auditor attestation, initial marketplacethinking was that management, including CIOs, could take a morerelaxed approach to certification efforts. But as companies gain abetter understanding of the impact of removing auditor attestation,the euphoria over this change will start to disappear.
The wake-up call
Consider the following scenario:
Sue, a fictional director and audit committee member, sits ontwo different boards — one is a publicly-traded company complyingwith the U.S.-based Sarbanes-OxleyAct (SOX), the other is a Canadian filer required to follow theCSA rules.
When it comes to her comfort level in approving the ManagementDiscussion and Analysis Document (MD&A) for the SOX filer, shehas an audit opinion on internal controls on which to rely.
For the Canadian filer, however, she has no such comfort. Sheonly has knowledge of management’s process for signing off on theCSA requirements and the audit committee’s oversight and monitoringupon which to rely. She is, therefore, likely to ask “Given thecivil liability rules, how robust is that process?”
What this means for CIOs
John is the fictional CIO of the company above that must complywith the Canadian CSA rules. With the potential move away fromauditor attestation, the general systems control (GSC), for whichJohn is responsible, will no longer bear the scrutiny of anexternal audit. Who will the audit committee, CEO and CFO turn tofor assurance? Given that John influences and controls theapplications and GSC that permeate the organization and itsinternal control environment, he is likely to be called upon foranswers on the state of IT internal controls over the financialreporting environment.
With the organizational reliance on IT and the vast range ofinternal controls throughout the business, John is likely to becomea large part of the due diligence process that management needs todemonstrate to the marketplace and the CSA.
Experience suggests that an unreliable IT control environmentdirectly impacts an organization’s current and future certificationactivities.
To ensure the CEO, CFO and board can complete their sign-offs,John needs to work with management to implement a robustcertification process. In 2006 he will need to ensure the requiredIT controls are suitably designed. In 2007, John will also need toensure that the IT controls operate effectively. He must beprepared to help management understand, test and document theorganization’s application controls and GSC. He will also need tohelp develop and implement a sustainable process for ongoingcompliance.
Learning from past mistakes
To help his organization with improved internal controlcompliance activities and have some control over his scope, Johnmust understand the role he can play going forward and use thelessons learned from his U.S.-based counterparts, such as :
— Leverage a risk-based approach to focus effort and evidenceto scaled level of what matters most. (The CSA risk-based approachmay be more rationale-based and less formula/numeric intensive thanits U.S. counterpart.);
— Ensure finance and business teams understand the role andrequirements of IT in certification;
— Fully integrate business and technology teams forcertification;
— Act now to complete either the assessment activities orcorrective actions
— Avoid using too many, too few, or irrelevant IT controls;
— Try to shoehorn a generic IT control framework rather thancustomizing it;
— Avoid unsustainable quick-fix solutions.
Three key considerations
While there are no hard and fast rules, organizations complyingwith the CSA requirements need to build an efficient and effectivecertification process. John needs to ensure this process willprovide sufficient assurance to the CFO, CEO, audit committee andboard that there are no material weaknesses in the IT controlenvironment over financial reporting. John may want to consider thefollowing three recommendations:
1. Develop a risk-based approach to IT internal controlcompliance;
2. Apply this risk-based approach to application controls and GSC;and,
3. Determine how to integrate the risk-based approach into theorganization’s overall sustainable compliance program.
Step 1: Develop an IT risk-based approach
A risk-based approach enables John to focus his efforts on areasof high risk and reduce attention on low risk areas. To developthis approach, John must gain an understanding of, and risk rate,his IT control environment and control objectives.
By asking a series of questions, John can classify the standardareas of IT risk as “high, medium or low”, and determine which onesneed to be included in his certification scope. The IT managementand operational control areas he should consider include: ITmanagement controls, program development/acquisition, program andinfrastructure changes, operations and access to data and systems.Some questions he may want to ask include:
— Management level context questions such as:
— How does executive management know that IT is doing itsjob?
— What are the indicators of the IT operation’s success/burnrate?
— How do executives know if IT is meeting business needs?
— What is the awareness of IT control requirements?
— IT operational questions such as:
— How old, complex and stable is the technology environmentthat supports the overall financial reporting process (includingsystems that initiate transactions)?
— Are there recent significant changes in IT leadership,structure, technology or processes?
– How stable and robust are the IT operational processes andrelated performance measures?
— What is the nature of the process’ s deployment(centralized/decentralized)?
— What is the process’s impact on internal controls overfinancial reporting?
By performing and substantiating this approach John begins tobuild an internal controls assessment program, customized andfocused on key areas of concern. He can tailor the work effortadopted and the amount of evidence collected for each objectivebased on the risk ranking per the certification projectstandards.
Step 2: Apply the IT risk-based approach
Next, John works with certification team members to identifyrelevant applications included in the overall certificationprocess. They are typically related to the initiation, processingand reporting of financial reporting matters. Within theseapplications John’s team can help the certification team identifyand apply a risk assessment to key application based on twofactors:
— Nature of the key application control (embedded orconfigurable)
— Type of key application control (inherent/customized)
Addressing these factors, John is again able to align effort andevidence with the risk rating. For instance, a standard keyapplication control within an off-the-shelf software package isgenerally of lower inherent risk and requires a lesser amount ofassessment/evidence than that required for a highly developedsolution that users configure (pricing tables) or with customizedlogic (revenue formulas based on statistical models).
Knowing which key applications are included in the certificationprocess, John can now focus on the underlying GSC related to thekey applications. Within the GSC area, John can turn his attentionto scaling the assessment activities and level of testing/evidenceto the degree of risk as defined in the IT risk-based approach. Forexample, IT operations that have limited or no batch processing andno shift transitions will likely find that these controls areassociated with lower risk ratings and thus lower scaleddocumentation and testing.
Step 3: Develop a sustainable model
The assessment process is a lot of work and it is not goingaway. John should therefore consider how to ease the work of todayas well as that of the future. He needs to give thought to asustainable working model for internal controls operation andassessment, considering current remedial requirements and futuresustainability or trade-offs. By approaching remediation from anoperational perspective and slightly extending the effort, he maybe able to achieve certification compliance while optimizingbusiness processes and building them to satisfy other additionalbusiness requirements.
A sustainable model should integrate ongoing complianceactivities within the daily business operations. As a result, thebusiness activities are tailored to meet the business risks andneeds (including compliance adherence, internal controls assessmentand evidence generation), as well as provide ongoing compliance andmanagement reporting for the effectiveness of internalcontrols.
Admittedly, it may not be possible to develop a sustainableprocess for every control area within the current year. The trickis to ensure that informed and collaborative decisions are madewith regards to what is an immediate focus and what can wait.
In developing a sustainable compliance model, John shouldcontemplate how to build the assessment of controls into ongoingoperations by considering such steps as:
— Introducing a customized control framework, such CobiT,ISO17799, ITCG, etc.;
— Building tailored IT processes based on IT process models(ITIL, CMMI, etc.) and integrating a customized controlframework;
— Integrating other business needs and compliance requirementsbeyond certification into a consolidated solution;
— Replacing manual controls with application controls toachieve efficiencies;
— Baselining application controls with year-over-year effortdispersion; and
— Embedding internal controls compliance into process changes,projects and systems solutions prior to rollout.
The sanity check
By working closely with the rest of the management group, Johnis able to ensure that his documentation and testing guidelines areconsistent with the organization’s approach, making it less likelythat he will expend unnecessary resources or not do enough work tosupport the findings.
By working with the others, John is also able to help formulatea solid strategy that will deliver a higher level of comfort overIT controls to the CFO, CEO, audit committee and board. In areas ofgreater risk, he may want to consider working with or consultingother groups (internal or external) to obtain an appropriate levelof comfort.
Using this process as a foundation, John is able to record anddocument properly the rationale behind his approach and gainspecialist assistance where required.
A CIO’s work is never done
As part of the organizational leadership, John needs tounderstand and deliver on the certification expectations of theboard, audit committee, CEO and CFO. He needs to provide aconsistent and reliable IT processing environment andassurance/evidence of its effectiveness. He will be called upon toaid in developing and supporting solutions to manage current andfuture organizational or departmental needs, in terms ofcertification and beyond. In summary: John is responsible fordelivering on these expectations. Will he just meet the mark, ortake the opportunity to be an innovative and strategic solutionprovider for his organization?