PwC. Bill 198 Overview September 2004

Transcription

1 PwC Bill 198 Overview September 2004

2 Agenda Welcome and overview Regulatory environment and background Three rules: Strategies for implementing the CEO/CFO certification process Requirements for audit committees New auditor oversight Lessons learned Top 10 project considerations

3 Bill 198 Regulatory environment and background

4 Why Regulators Took Action Corporate Scandals have shaken general investor confidence Sarbanes-Oxley Act passed by US congress Corporate governance under scrutiny Bill WHY THE RULES CAME OUT Disclosure controls and internal controls over financial reporting new areas of focus Audit committee and auditor independence an area of concern Bill 198 Page 4 PricewaterhouseCoopers LLP September 2004

5 Regulatory environment and background Key regulatory dates 2002 The Sarbanes- Oxley Act is issued and Bill 198 receives Royal assent AUGUST 2002 OCTOBER 2002 JUNE SEC issues Sarbanes- Oxley Act Section 302 rules SEC issues proposed Sarbanes- Oxley Act Section 404 rules 2003 JUNE 2003 JANUARY 2004 SEC issues final Sarbanes- Oxley Act Section 404 rules CSA issues proposed rules under Bill 198 for comment CSA issues final rules under Bill 198

6 Regulatory environment and background The Canadian response Bill 198 Amends Securities Act (Ontario) Broadens Ontario Securities Commission (OSC) powers Penalties for noncompliance and fraud increased Regulators directed to develop rules to enhance investor confidence CSA issued three rules, effective March 30, 2004 aimed at Improving the quality and reliability of reporting disclosure Strengthening the independence and authority of audit committees Improving public confidence in the integrity of financial reporting of public companies

7 Strategies for implementing the CEO/CFO certification process Multilateral Instrument Certification of disclosure in issuers annual and interim filings

8 MI : Strategies for implementing the CEO/CFO certification process Accountability through personal certifications MI requires CEOs and CFOs of all reporting issuers to personally certify disclosures made in interim and annual filings Filings to be certified: Annual Information Form (AIF) Annual financial statements Annual MD&A Interim financial statements Interim MD&A Issuers that comply with US laws implementing the certification under Section 302 of the Sarbanes-Oxley Act (SOX) and file these certificates through the System for Electronic Document Analysis and Retrieval (SEDAR) will be exempt from meeting the requirements of this rule.

9 MI : Strategies for implementing the CEO/CFO certification process Filings Annual + Interim Annual + Interim Annual + Interim Annual + Interim Annual + Interim Annual + Interim Annual + Interim Annual Only CEO and CFO must certify that They have reviewed the annual/interim filings for the period ending Based on their knowledge, the annual/interim filings do not contain any untrue statement of a material fact or omit to state a material fact required to be stated or that is necessary to make a statement not misleading in light of the circumstances under which it was made, with respect to the period covered by the annual/interim filings. Based on their knowledge, the annual/interim financial statements together with the other financial information in the annual/interim filings present in all material respects the financial condition, results of operations and cash flows of the issuer, as of the date and for periods presented in the annual/interim filings. They are responsible for establishing and maintaining disclosure controls and procedures and internal control over financial reporting for the issuer. They have designed or supervised the design of disclosure controls and procedures to provide reasonable assurance that material information relating to the issuer, including its consolidated subsidiaries, is made known to them by others within those entities. They have designed or supervised the design of internal control over financial reporting to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with the issuer s GAAP. They have caused the issuer to disclose in the interim/annual MD&A any change in the issuer s internal control over financial reporting that occurred during the issuer s most recent interim period that has materially affected or is reasonably likely to materially affect, the issuer s internal control over financial reporting. They have evaluated the effectiveness of disclosure controls and procedures as of the end of the period covered by the annual filings, and have disclosed in the annual MD&A their conclusions about the effectiveness of the disclosure controls and procedures as of the end of the period covered by the annual filings based on his/her evaluation.

10 MI : Strategies for implementing the CEO/CFO certification process Compliance dates for certification of disclosure January 1, 2004 March 30, 2005 Certification requirements (annual and interim) apply to financial years and interim periods on or after January 1, Issuers may file a bare form certificate in respect of any year ending on or before March 30, Issuers may file a bare form certificate for interim periods prior to the date of the full form annual certification. Bill 198 Page 10 PricewaterhouseCoopers LLP September 2004

11 MI : Strategies for implementing the CEO/CFO certification process Consider an issuer with a December 31 year end... March 31, 2004 Sept. 30, 2005 Dec. 31, 2005 March 31, 2006 Issuer could file a bare form interim certificate for interim period ending March 31, Issuer could continue to file a bare form interim certificate up to and including September 30, First full form annual certificate would be filed for December 31, First full form interim certificate would be filed for March 31, Bill 198 Page 11 PricewaterhouseCoopers LLP September 2004

12 MI : Strategies for implementing the CEO/CFO certification process Comparison to the Sarbanes-Oxley Act CSA Rules currently do not require: quarterly evaluation of the effectiveness of disclosure controls and procedures management s assessment of the effectiveness of internal controls over financial reporting external auditor s opinion on the effectiveness of internal controls over financial reporting or on management s assessment However, as a separate initiative, the Canadian Securities Administrators (CSA) are in the process of developing a Sarbanes-Oxley 404-type rule.

13 MI : Strategies for implementing the CEO/CFO certification process Certification definitions Disclosure controls and procedures disclosure controls and procedures means controls and other procedures of an issuer that are designed to provide reasonable assurance that information required to be disclosed by the issuer in its annual filings, interim filings or other reports is recorded, processed, summarized and reported within the time periods specified in the provincial or territorial securities legislation and include...controls and procedures designed to ensure that information required to be disclosed is accumulated and communicated to the issuer s management, including Its CEO and CFO, as appropriate to allow timely decisions regarding disclosure. PricewaterhouseCoopers LLP

14 Disclosure controls Key points of focus Disclosure policy Procedures for collecting information Procedures for capturing information Procedures for evaluating information Procedures for disclosing information Disclosure committee and training Monitoring and oversight Cascading certificates

15 MI : Strategies for implementing the CEO/CFO certification process Certification definitions Internal control over financial reporting internal control over financial reporting means a process designed by, or under the supervision of, the issuer s CEO and CFO, or persons performing similar functions, and effected by the issuer s board of directors, management and other personnel, to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with the issuer s GAAP... PricewaterhouseCoopers LLP

16 Internal controls Key points of focus Company-level controls Business process documentation Control objectives Risks Manual controls Automated application controls General computer controls Monitoring controls

17 MI : Strategies for implementing the CEO/CFO certification process What do you need to have in place to be able to sign the certificate? Well-designed, documented and monitored disclosure controls and procedures and internal controls over financial reporting, including all relevant policies, procedures and operating principles at significant locations A process for evaluating and reporting on the design and operating effectiveness of disclosure controls and procedures (expected to be extended to include internal controls over financial reporting) Bill 198 Page 17 PricewaterhouseCoopers LLP September 2004

18 MI : Strategies for implementing the CEO/CFO certification process What do you need to have in place to be able to sign the certificate? An internal control infrastructure that: facilitates communication, reporting, training, incident identification and issues management facilitates ongoing monitoring of the system of internal control and completion of applicable control procedures ultimately provides management with confidence that the internal control structure is effective and can be evaluated and tested on an ongoing basis Regulators will expect companies to have evidence of the design and evaluation of disclosure controls and procedures and internal controls over financial reporting.

19 MI : Strategies for implementing the CEO/CFO certification process Response Compliance project Companies are undergoing comprehensive projects to identify, document and validate controls (disclosure and financial reporting). Compliance projects are being planned and executed to provide necessary information on the design and operating effectiveness of controls to provide a basis for certifications. While a SOX 404-type rule has not yet been enacted, many companies are taking all necessary steps to ensure they will be in a position to comply with an SOX 404-type requirement. Synergies are available for companies who take an integrated project approach integrating efforts to document, evaluate and remediate disclosure controls and internal controls. Bill 198 Page 19 PricewaterhouseCoopers LLP September 2004

20 MI : Strategies for implementing the CEO/CFO certification process MI compliance project approach Key elements Step 1 Step 2 Step 3 Step 4 Step 5 Scoping and Project Planning Document Controls and Evaluate Design Effectiveness Test Controls and Evaluate Operating Effectiveness Implement Cascading Certification Process Evaluate, Report, and Certify Establish project governance structure Determine project scope Determine criteria and process for evaluating control deficiencies Develop detailed project plan Document company-level controls Document disclosure controls and procedures Evaluate the design effectiveness of disclosure controls Evaluate and remediate design effectiveness deficiencies Develop cascading certification package Work with certifying individuals to implement the cascading certification process Receive and evaluate cascading certification packages Report to the Audit Committee Certify Certify Ongoing project management and communication with external auditor

21 MI : Strategies for implementing the CEO/CFO certification process Integrated compliance project approach Key elements Step 1 Step 2 Step 3 Step 4 Step 5 Scoping and Project Planning Document Controls and Evaluate Design Effectiveness Test Controls and Evaluate Operating Effectiveness Implement Cascading Certification Process Evaluate, Report, and Certify Establish project governance structure Determine project scope Determine criteria and process for evaluating control deficiencies Develop detailed project plan Document companylevel controls Document disclosure controls and procedures Document business processes and IC over FR at the transaction level Evaluate the design effectiveness of disclosure controls Perform walkthroughs and evaluate design of IC over FR Evaluate and remediate design effectiveness deficiencies Develop controls testing approach and methodology Develop controls testing plan and procedures Execute tests of controls and evaluate operating effectiveness Evaluate and remediate operating effectiveness deficiencies Develop cascading certification package Work with certifying individuals to implement the cascading certification process Receive and evaluate cascading certification packages Perform update testing to confirm operation of controls Report to the Audit Committee Certify Ongoing project management and communication with external auditor

22 MI : Strategies for implementing the CEO/CFO certification process Ongoing monitoring and maintenance Following the first year of certification, management will continue to work on entrenching controls monitoring and maintenance processes into day-to-day business practices. This will include implementing processes for updating controls-related documentation for changes that impact the control structure (processes, people, systems, business, etc.). Requires ongoing oversight of the compliance process, documentation, controls testing and cascading certification process by senior management, the disclosure committee and the audit committee Includes ongoing processes for identifying, documenting, evaluating, communicating/reporting and remediating any control deficiencies

23 Requirements for audit committees Multilateral Instrument Audit committees

24 MI : Requirements for audit committees New Rules Address Audit Committee composition Definition of Audit Committee Member Independence Audit Committee responsibilities Required disclosures Effectiveness of the audit committee is a key element of the Control Environment, and is typically evaluated during Step 2 - Document Company-Level Controls Bill 198 Page 24 PricewaterhouseCoopers LLP September 2004

25 New auditor oversight National Instrument Auditor oversight

26 Lessons learned PwC s global Sarbanes-Oxley experience

27 Lessons learned PwC s global Sarbanes-Oxley experience The silo approach towards the implementation of sections 302 (disclosure controls and procedures) and 404 (internal controls over financial reporting) may result in inefficient utilization of resources and lead to incomplete results. The lack of appreciation that compliance with sections 302 and 404 is a significant undertaking often leads to poorly governed and planned projects. As with any other significant entity-wide initiative, the lack of commitment to, and ownership of, the project from the top means almost certain failure.

28 Lessons learned PwC s global Sarbanes-Oxley experience Organizations that start documenting processes and controls too quickly without a clear scope and plan wind up gathering unnecessary information and wasting time, effort and goodwill on the part of divisional management and business process owners. Documentation should follow a standardized framework with clearly defined templates, formats, structures and accountabilities.

29 Lessons learned PwC s global Sarbanes-Oxley experience The importance of quality assurance/review of process and controls-related documentation and evaluations cannot be over emphasized; the lack thereof tends to result in significant re-work and added cost. Organizations that jump into documenting and evaluating controls without a clear process and criteria for evaluating control deficiencies often lack consistency in their evaluation.

30 Top 10 project considerations 1. Start early 2. Get support from senior management 3. Invest time in planning and scoping 4. Define processes, methodologies, criteria 5. Ask the experts 6. Involve others 7. Create awareness 8. Prepare for SOX 404-type requirement 9. Implement strong project management 10. Establish accountability

31 Thank you PricewaterhouseCoopers LLP, Canada. PricewaterhouseCoopers refers to PricewaterhouseCoopers LLP, Canada, an Ontario limited liability partnership, or, as the context requires, the network of member firms of PricewaterhouseCoopers *connectedthinking International Limited, each of which is a separate and independent legal entity. PwC