The CEO and CFO are required to certify various matters to their securities administrators under NI 52-109. These certifications are based on the existence of an effective system of internal control and management is expected to obtain persuasive evidence to support the conclusion that those controls are effective. What constitutes persuasive evidence is a matter of judgment, but the public nature of the certifications elevates both the quality and quantity of evidence required, putting a higher degree of responsibility on management.

With that mandate in mind, there are two areas that should be given specific consideration by management and the board of directors:

1. Processes and controls

To successfully identify relevant risks and related process-level controls, it is necessary to have a clear picture of business processes and the flow of information. Typically management demonstrates this understanding by describing it in a flowchart or narrative, which should address activities starting when a transaction is initiated and continuing until it is reported in the financial statements. Management then uses the flowchart/narrative to identify risks (what-could-go-wrongs) and the related controls that mitigate those risks.

Written documentation of how, when and by whom controls are executed increases the accountability of the control owners, makes the established control procedures more difficult to circumvent and facilitates the transfer of ownership of controls in case of personnel turnover. Furthermore, it is the basis for obtaining persuasive evidence of the existence and operation of an effective system of internal controls.

2. Management Review Controls (MRCs)

Review by knowledgeable and engaged management is essential to an effective system of internal control, especially for those areas of the financial statements involving significant judgment and subjectivity. However, it can be more difficult to obtain sufficient evidence about how MRCs have been designed and if they are operating effectively. As judgment and complexity increase, so can the potential for a higher risk of material misstatement—meaning the persuasiveness of the evidence required to demonstrate the design and operating effectiveness of the MRC increases.

The challenge with many MRCs is well described in the COSO Framework, which states “controls that require a significant degree of judgment cannot be performed entirely in the minds of senior management without some documentation of management’s thought process and analyses.” When individuals executing MRCs do not fully document their thought processes, it is difficult—sometimes impossible—to properly assess the effectiveness of the controls. For example, a well-documented MRC should include an indication of the precision of the control (i.e., what would be further investigated) and the resolution of any investigated outliers. While these can be highly judgemental decisions, formalizing thresholds for follow-up strengthens the effectiveness of the control.

Key questions to consider before certifying

• Does our documentation support management’s assessment that the five components and 17 principles of internal control are present and functioning and that the components are working together in an integrated manner?
• How do we ensure that MRCs are comprehensively documented/evidenced, particularly in areas of high judgment and complexity that are material to the financial statements?
• Do our auditors think our processes and controls, especially MRCs, are well-documented?
• How would improving the documentation and operation of internal controls impact our audit?
• Would this make the audit more effective and efficient?

Next steps: