Ontario Bill 198- Chapter 22 of the Statutes of Ontario, 2002
As a result of the turmoil in U.S. markets in 2001 and 2002, regulators in Canada wanted to re-establish investor confidence in Canadian securities. In 2002, Ontario enacted Bill 198 as Chapter 22 of the Statutes of Ontario, which introduces measures similar to the Sarbanes-Oxley Act (SOX) in the United States. The TSX, located in Toronto, Ontario is the primary stock exchange in Canada, and therefore Bill 198 applies to almost all publicly traded companies in Canada. Bill 198 is also referred to as C-SOX (Canadian SOX).
In comparing Bill 198 to SOX, although it is similar to SOX, there are some key differences. First, the timeline for full compliance in Canada is 2008, whereas, in the US, compliance has been required since 2004 for large public companies. Canada has taken a deliberate “watch and see” approach to learn from the US. Second, SOX 404 requires that the external auditors provide an opinion on the company’s assessment of its internal controls. This is in addition to the opinion on whether the financial position is presented fairly. This has created additional audit work and costs for U.S. companies. In contrast, the Canadian Securities Administrators (CSA) decided that external auditors are not required to offer an opinion on the company’s assessment of internal controls. Canada’s version of SOX 302 is known as MI 52-109 (Multilateral Instrument 52-109), and Canada does not plan to implement SOX 404 (MI 52-111 would have required the equivalent of SOX 404 but was rescinded in 2006 after public consultations). Third, the CSA requires that Canadian companies perform a high level of care and diligence in reviewing and documenting their internal controls so that the controls provide a “reasonable assurance” that the risk of material misstatement will be prevented. In the US, the internal controls must reduce the risk to a “remote chance” which is a much more stringent standard, although during 2007 the SEC issued guidance to parallel Canada’s “reasonable assurance” requirement. Fourth, although a public accounting oversight board has been established in Canada (PCAB), the board does not have the same level of independence and transparency as the PCAOB in the US.
Bill 198 was enacted in 2002 however the deadline for full compliance was initially established by market capitalization (market value of the firm’s equity), with large capitalization companies required to be compliant by 2007 and smaller companies following by 2008. However in 2006 the CSA revised the timetable so that all companies would need be fully compliant by 2008. As a result, most of the large publicly traded companies in Canada have been working hard on their C-SOX projects for a number of years (combined with the fact that many are also listed on the NYSE and therefore needed to be SOX compliant). The Bill 198 compliance process in Canada has evolved over time and Canadians have had the benefit of looking at the experience south of the border, taking advantage of best practices that have emerged which will enable companies to meet their compliance objectives in a cost effective manner.
“Maintaining” the program on a go forward basis has now been the focus of many companies who have already completed their initial C-SOX mandates. For these companies, amongst other things (see Compliance Process), it is now a matter of maintaining documentation, ongoing testing, and that operating departments take on more responsibility for internal controls.
Penalties for non-compliance
A general overview of C-SOX would not be complete without a brief discussion on the repercussions of non-compliance. In the US, the Sarbanes-Oxley Act of 2002 contains numerous sections pertaining to fines, penalties and prison time of up to 25 years. The SEC has taken a very hard-line position on breaches, and has sent a message to the public with some high profile accounting scandal convictions (Jeffrey Skilling, former CEO of Enron– 24 years in prison, Bernard Ebbers, former CEO of Worldcom – 25 years in prison). In Canada, Bill 198 followed with some very tough measures, and although the maximum penalties are not to the same degree as SOX, the overall message is certainly the same.
Bill 198 pertains primarily to budgetary measures, but Part XXVI deals specifically with changes to the Ontario Securities Act and introduces much more stringent financial disclosure and corporate disclosure requirements. Similar to SOX, Bill 198 requires companies to review and document their internal controls in order to support the certifications by the CEO and CFO. Furthermore, there are severe penalties for breaches. Some of the notable sections of Bill 198 are as follows:
Section 180 – public companies must promptly report any material changes since their last filing to the OSC (Ontario Securities Commission). They must make the changes generally available on their company web-site.
Section 181 – directors and officers of a company that presents misleading or untrue information in any report filed with the OSC, including financial statements, can be fined up to $5 million and sentenced to 5 years in prison.
Section 183 – OSC can force the company and executives to give back any gains resulting from a breach, and directors and officers are deemed to have committed the breach.
Section 184 – depending on the severity of the breach, in addition to fines of $1 million, the officers and directors can be forced to resign and be prohibited from serving as a director or officer of any public company.
Section 185 – investors have the right to sue companies as well as individual directors and officers from issuing misleading documents, including financial statements, making false oral statements, deliberately avoiding finding out what they should have known, or not making timely disclosures.
Bottom-line – C-SOX is about making sure the numbers are correct – “telling it like it is”. That is, making sure the processes that support the numbers have controls that will detect material errors, certifying that the numbers are correct, and then being able to prove that the numbers are correct by documenting processes and ongoing testing of key controls. Ignorance cannot be used as an excuse for not getting the numbers correct.
Edelkoort Smethurst Schein CPA’s LLP would be happy to assist with any questions or requirements regarding SOX or Bill 198.
C-SOX: How to implement a Bill 198 compliance program
Bill 198 regulations are not very “prescriptive” in that there are no specific guidelines to follow to ensure compliance. Other than knowing what is expected at the conclusion of the process (CEO and CFO certification and proof) there has not been any particular process that the CSA has provided to ensure compliance. Generally the same can be said of SOX in the U.S. and as a result, the accounting industry and businesses have had to develop a method that would ultimately result in compliance. In doing so, the accountants in the U.S. and Canada, reached back into the world of internal audit and began using existing control frameworks to guide their work. The Committee of Sponsoring Organizations (COSO) had previously developed a set of definitions for what comprised an internal control (see COSO Internal Control Framework) so this was used as a benchmark and starting point. Building on this, a SOX certification process was developed to ensure a consistent review of all of the processes that support the financial statements. In the early days, this process was largely driven by the Big 4 CA firms.
Today we can take advantage of the experience of the last several years, and confidently establish an efficient and effective project plan to ensure certification. The certification process is illustrated below, and each stage will be discussed in more detail.
Similar to any other project, it is necessary to properly understand and plan the C-SOX project. Most organizations are familiar with internal control concepts, but it is advisable to provide a high level overview – the COSO definitions provide excellent summaries (see COSO executive summary). An overview of the costs, benefits and limitations of a rigorous internal control system will hopefully provide the necessary “buy in” from management on the importance of the C-SOX project. During the scoping stage, it is important to gain an overall understanding of the business – to hone in on the key drivers and risks of the business that will ultimately impact the financial statements. The goals and objectives of the company’s Board of Directors and corporate governance policies should be reviewed. Finally, the size and complexity of the business will largely dictate the amount of time and resources needed to complete the project.
During the last few years, one of the key SOX learnings has been to focus efforts in the areas that have the biggest risk and impact to the financial statements. This is done at the scoping stage, and is why it is so important to devote the requisite amount of time to “plan the work – and then work the plan”. In my opinion, if done properly, the potential gains in operating efficiencies and financial accuracy resulting from C-SOX, will easily justify the costs (albeit this can be difficult to quantify).
Documentation and Evaluation of Internal Controls
After the C-SOX project has been properly scoped, the company will be ready to begin the most labour intensive phase of the work – documentation and evaluation of processes.
In this area there is no substitute for face to face meetings with operating personnel to understand what it is they are doing, the reports being used, approval levels required etc.
In larger firms, specialized software is often used as a repository for the documentation, but in most companies Word documents are used. If Word is used, it is highly recommended that a standard template be developed so that there is consistency in format and information. Some companies augment the documentation process with flowcharts. While flowcharts are not necessarily required, they might helpful in some circumstances. However, in order to control costs, they should be limited to complex processes that would be better understood with visual diagrams.
There are four main categories of internal controls that need to be reviewed and documented: Entity-Level, Business processes, IT Application controls, and IT General controls. Each of these controls have unique characteristics, but all work in tandem as part of a company’s internal control environment, and will be discussed in more detail.
Entity Level Controls – what is “tone at the top?” – Corporate Governance Policies – (Code of conduct and ethics, communication and disclosure policy, Insider Trading, Whistle Blowing), Frequency and robustness of operating reviews, Overall attitude towards internal controls and Risk Assessment processes, Commitment of leadership towards investment in financial reporting systems and skilled personnel. It is very important initially to gain a high level understanding of the business and the financial statements, in order to understand where the general risk of material weaknesses may exist. This will save significant time and money. In other words, the process of review begins at the top to understand what processes will have the greatest impact on financial reporting, and the risk associated that the process could indeed result in a material error. Upfront analysis and planning is critical because without it, a company can embark on a huge and unnecessary C-SOX project that will be extremely difficult to complete and maintain. Always remember that C-SOX is concerned about financial reporting – and the internal controls that support the processes that generate the financial statements. There are many other business processes that are also critical, but if they do not impact financial reporting, they are not of concern for C-SOX. Example – the evaluation of an investment in a new plant or equipment maybe critical to the ongoing success of a business, but beyond the disclosures that may be required, this planning is not relevant to C-SOX. Instead, other business risks should form part of a risk management process that is distinct from C-SOX, better known as Enterprise Risk Management (ERM) – see Risk Management. Assessment of Entity-Level controls is usually quite subjective, and requires the application of considerable experience and professional judgement. It is typically based on inquiry and observation, and is conducted at the senior levels of the organization.
Business Process Controls – these are the detailed operating processes and procedures that support the business. These processes are executed at the departmental level, and basically comprise all of the significant business cycles such as; the Sales cycle (Revenue, Receivable, and Receipt), the Purchasing cycle (Purchase Order, Payables, and Payment). There are likely many others – in particular the Financial Reporting and Close process. Each of the business processes must be reviewed and documented (flow charts are helpful but not mandatory) to gain an understanding of the key internal controls. Taking advantage of the initial high level work, only processes that have a material impact should be documented. Example – the Petty Cash process can be excluded. Once the review and documentation is completed, the controls within the processes will be identified. These controls are typically listed in a matrix for each process (“Controls Matrix”) and reviewed as to determine the following; 1) “what could go wrong”, 2) what is the likelihood of error, and 3) what is the impact of that the error will result in a material error on the financial statements.
IT Application Controls – these are controls that relate to specific computer software applications and the individual transactions. For example, a company would usually place restrictions on which personnel have authorization to access its general ledger so as to revise its chart of accounts, posting / approving journal entries etc. In order to enact this policy and restrict access, the general ledger software package would require the necessary functionality. Furthermore, assuming the functionality exists, does the company have a policy in place, and is there evidence that the general ledger authorizations align with the policy? Controls around application access are obviously very important and need to be reviewed closely as part of the certification process.
IT General Controls – similar to Entity Controls, these are also considered to be “pervasive” controls that relate to the overall management of the information systems and processing environments that internal controls depend upon. The CICA Handbook specifically mentions program development, program changes, computer operations, and access to programs and data as being within scope. Some of the key processes/controls that need to be reviewed include:
- Eliminating unauthorized or incompatible user access to IT applications.
- Ensuring the accuracy and completeness of data within applications and transferring between applications (interfaces).
- Changing the functionality or development of IT applications.
- Creating, storing and accessing backup information, physical security and infrastructure management.
- Spreadsheet Controls (EUCA – End User Computer Applications – Excel, Access etc).
In essence, the IT function within a company is the source of the majority of data, information and reports – management relies on this to prepare financial statements, and therefore it is critical that strong controls exist in this environment.
Internal Control Gaps and Remediation
After the review and documentation of processes that are within scope has been completed, the next step will be to review the key controls within each process. Note that the focus is on key controls – similar to scoping out processes, the focus should only be on the controls that are most important. How best to determine this? In many ways, the distinction is often very intuitive – the bank reconciliation should be done monthly on a timely basis and the reconciliation should be reviewed. Those are key controls. Perhaps another good control would be to ensure that the bank statement is delivered directly to the person responsible for preparing the bank reconciliation – however this is not critical and therefore would not typically be considered a key control. Often the classification of a control between key and non-key may not be obvious, and as a result a methodology has been developed to assist with this, and to provide summary information.
The method is as follows:
- What could go wrong – for each of the process controls, management should review what could go wrong if the control failed – to determine the impact that on the financial statements. Furthermore, what is the likelihood that the control will fail? Reviewing each of the controls in this way will determine whether they are key or non-key. This will also provide support documentation for the basis used in the classification.
- Controls matrix – for each process, there should be a summary for each of the controls, listing details such as; brief description, process owner, financial statement assertion, frequency of the control, manual or automated, preventative or detective, existence of mitigating controls, key or non-key etc. This matrix is useful as an ongoing management tool for summarizing and tracking.
- Controls table – for each key control within each process, this table provides the number of controls and risk impact.
A robust review of the internal controls as described above will allow the company to focus on key controls, and on processes that could have a significant impact to the financial statements. In this way the company can have reasonable assurance of detecting any material weakness, and will do so in the most economical way.
At this point of the process, it is usually advisable to regroup and review the documentation, key controls and perform a “walkthrough” (sample of one) to validate the each of the processes. As a result of these reviews, the company will typically realize that there are some internal control weaknesses (“gaps”) which must be “remediated”, particularly if there are weaknesses with key controls. It is very important to ensure that the gaps identified are fixed on a timely basis. There would be no point in doing this project if gaps are allowed to remain. This is where project management is critical. Upon completion of gap remediation, management is in a position to certify that its internal controls have been designed adequately.
Effectiveness of Control
As much as the design of internal controls is important, it is equally important that the controls are working as they should be – that they are working effectively. This entails testing the key controls on an ongoing basis throughout the year, and providing evidence of the testing for auditors and others to examine. Testing begins with a well planned, developed and approved test design. This should be done with care! The test designs should follow a standard template and contain all of the details required to complete the test. This will ensure consistency and continuity in testing. They are typically done on Excel spreadsheets for ease of compilation.
In reviewing the test results, management will be able to determine if there are any significant problems. Typically each test is either a Pass or Fail. If there is a problem, often it is helpful to take into consideration any extenuating circumstances, and expand the test or review mitigating controls. If a test is a Fail, this will require management focus and corrective action as applicable. Typically failed tests are classified as; segregation of duties, evidentiary (no proof), operational, or control design.
The test results are very important as they will indicate the extent to which a company’s internal controls are designed properly and working effectively. The failed tests will point to control deficiencies:
- Inconsequential deficiency – no reporting or remediation necessary.
- Significant Deficiency – report to Audit Committee and Auditors.
- Material Weakness – report to Audit Committee and Auditors AND report publicly in C-SOX certification. Material weakness indicates that the internal controls are not effective.
Final Report / Certification
The project deliverable is the CEO and CFO certification of the design and operating effectiveness of internal controls filed with SEDAR (on-line repository web-site for all Canadian publicly traded companies). This is done on a quarterly basis. A standard certification template has been developed by the CSA and OSC. The CEO and CFO cannot delegate responsibility for this and therefore need to have sufficient knowledge to support their assertions. Typically the certification is supported by a cascading system of sign-offs to provide additional support from those accountable for the operation of controls within their respective business functions.
Is your company ready? Does it have sufficient resources, expertise, and independence to complete the C-SOX certification project? Edelkoort Smethurst Schein CPA’s LLP would be happy to assist with any questions or requirements.
Edelkoort | Smethurst | Schein CPAs LLP is located in Burlington Ontario servicing the Golden Horseshoe and Greater Toronto Area and beyond. The firm is fully licensed with CPA Ontario to provide assurance, tax and accounting services as well as registered as tax preparers with the Canada Revenue Agency (CRA) & Internal Revenue Service (IRS). The firm is also registered as an IRS Certified Acceptance Agent.
All blog posts published on this site are for informational purposes only and do not constitute professional advice. Readers should contact a professional to discuss their individual situation. Neither the author or the accounting firm shall accept any liability for any reliance placed on the information posted.