This is the first article of a three-part series covering CSA continuous review of controls.
In July 2016, the Canadian Securities Administrators reported (CSA Staff Notice 51-346 [PDF 278 KB]) the results of their continuous review program for the fiscal year ended March 31, 2016. The program included 902 reviews and required further actions (either corrective or prospective) to be taken in 73% of cases. The results raise questions concerning the effectiveness of the disclosure controls and procedures (DC&P) and the internal controls over financial reporting (ICFR) at the issuers reviewed and may contain lessons for issuers at large—including their boards, whose mandate includes controls oversight.
Certification should mean effectiveness
Since December 15, 2008, the Chief Executive Officer (CEO) and the Chief Financial Officer (CFO) of issuers have been required to make certifications in accordance with NI 52-109 (Certification of Disclosure in Issuers’ Interim and Annual Filings), which mandates the establishment and maintenance of DC&Ps and ICFR. While responsibility for day-to-day management of the issuer is generally delegated to management (including the CEO and CFO), the ultimate responsibility for the stewardship of the entity remains with the board—this includes being responsible for internal control.
Simply put, through their certifications, the CEO and the CFO, with the concurrence of their board of directors, have told the securities regulators that their systems can be relied upon to produce appropriate and timely information. Fundamental to this assertion is the existence of an effective system of internal control. For almost three-quarters of the issuers whose continuous disclosure was reviewed in fiscal 2016, the CSA identified opportunities for improvement, which should raise a red flag with boards that assented to certification.
The internal control framework
In designing ICFR, the issuer uses a framework for internal control, most commonly COSO 2013 [PDF 168 KB], which is specified in the certification. Internal control is defined by COSO 2013 as “a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance”. An effective system of internal control requires each of five components and seventeen principles (see Appendix A [PDF 68 KB]) to be present, functioning and operating together in an integrated manner. While this framework may appear daunting, it is not overly prescriptive and is scalable. No two entities can or should have the identical system of internal control—the challenge is to find the right system, with the right balance for the organization.
Key questions for management and the board to consider:
Achieving the right level of internal control can be challenging, and it must be given appropriate time and consideration. Examining and fully understanding the COSO framework can help boards and management reflect upon their own organizational controls and on how they can/will meet the CSA’s continuous disclosure expectations. Boards should also carefully consider whether or not the organization has made the comprehensive and robust assessments necessary to conclude that their system of internal control is effective.