Bill 198, which was enacted in 2002, has been top of mind for many Canadian executives especially as the timeline for compliance started kicking in last year for some companies. The deadlines set for Canadian firms were based on market capitalization, beginning with the largest ones and working its way down to the smallest firms.
Despite its enactment in 2002, Bill 198 – also known as C-SOX – is still an issue that many Canadian executives are concerned about due, to some extent, to the fact that C-level executives now bear direct accountability for financial reporting, noted Nigel Wallis, research manager for Canadian applications services at IDC Canada.
“(The CEOs and CFOs) are personally certifying that their annual filings are not containing any misrepresentations. There is a difference there from pre-Bill 198 in that there’s now a senior management buy-in because it is them facing the SEC and (potential) jail time. That really does help get sign off for projects,” said Wallis.
Between 2006 and 2007, the number of Canadian executives that cited Bill 198 as most important in the areas of governance, compliance and risk jumped from six per cent to 37 per cent, based on the IDC survey, which involved some 100 top executives from Canada’s largest organizations.
When instituting compliance initiatives, Wallis suggests the ultimate objective should be to reduce cost, increase efficiency and create a repeatable, automated environment that evaluates internal controls in a way that’s sustainable and scaleable.
“It’s not just about the internal controls for Bill 198 or SOX, you can also incorporate other risks and compliance and governance issues into those same automated controls,” says Wallis.
Companies like Oracle and SAP are already recognizing the need to integrate compliance measures with business processes, and have started introducing internal control features into their ERP platforms, the IDC analyst said.
Having an automated environment for risk mitigation and controls that can scale to whatever legislation or policies may come along is the more efficient way of handling compliance initiatives, Wallis said.
“There’s a complex overlap of acts and laws that every company faces – whether in the telecommunications, finance or manufacturing. Having a different way of responding to each one of these regulations is usually inefficient. You want to have some sort of an integrated system to know that you are in compliance with everything,” Wallis explained.
Despite the amount of work that lies ahead, Canadian companies are in a better position today than their U.S. counterparts a few years ago, said Mary Kirwan, president of Toronto-based IT risk and security consulting firm Headfry Inc.
Kirwan said the American SOX experience has created a significant resource for best practices for Canada.
“These new rules (in Canada) refine the Americans’ experience with Sarbanes,” Kirwan said. “There are lots of lessons that can be learned and (Canadian companies) are by no means starting very fresh.”
Among the U.S. lessons learned are around “overauditing and overcompliance”, she said.
When SOX was initially enforced companies started spending money on compliance and embarked on massive audits, without any understanding of where their risks lie in relation to SOX requirements, Kirwan explained.
“The regulators in the U.S. said that was not the intention of the law. The most emphasis should be put on key controls and identifying the key risks, and on managing and controlling those risks,” Kirwan said.
The largest and most sophisticated companies have since gone down the right path of establishing an integrated system for identifying company risks and managing them through internal controls, she said.
Such investment resulted in improved operational efficiency. The conduct of regular reviews of the organization enabled these companies to reduce duplication and allowed their IT to focus on more strategic initiatives, said Kirwan.
For smaller firms who may not have the same resources as the bigger organizations but have to comply with Bill 198, Kirwan suggests they should start with self-assessment.
“You have to understand your business and what your risks are, and streamline things as much as possible,” she said.
Simple initiatives like checks and balances and segregation of duties will come a long way in implementing internal controls, Kirwan added.
Canadian compliance: New rules, new risk