Public Sector CEO/CFO Certification.

Similar documents
The Importance of IT Controls to Sarbanes-Oxley Compliance

PwC. Bill 198 Overview September 2004

Sarbanes-Oxley Section 404: Compliance Challenges for Foreign Private Issuers

Audit of the Policy on Internal Control Implementation

Service Organization Control (SOC) Reports Focus on SOC 2 Reporting Standard

Demystifying Capital calculations. October 23, 2008

Moving Forward with IT Governance and COBIT

Aboriginal Affairs and Northern Development Canada. Internal Audit Report. Audit of Internal Controls Over Financial Reporting.

MARLIN MIDSTREAM GP, LLC AUDIT COMMITTEE CHARTER

IFRS in Asia 2008 Driving the Capital Markets of Tomorrow October 2008, Beijing, China

Status Report of the Auditor General of Canada to the House of Commons

Internal Audit Manual

INTERNAL AUDITING S ROLE IN SECTIONS 302 AND 404

AUDIT OF READINESS FOR THE IMPLEMENTATION OF THE POLICY ON INTERNAL CONTROL

Supporting Compliance Management with Technology

COSO Internal Control Integrated Framework (2013)

Inspection of Fazzari + Partners LLP Chartered Accountants (Headquartered in Vaughan, Canada) Public Company Accounting Oversight Board

February Sample audit committee charter

U.S. CFO Program The Four Faces of the CFO Deloitte Touche Tohmatsu

Disclosure compliance system Seven questions directors should ask

Risk Management Advisory Services, LLC Capital markets audit and control

Sarbanes-Oxley Section 404: Compliance Challenges for Foreign Private Issuers

COSO s 2013 Internal Control Framework in Depth: Implementing the Enhanced Guidance for Internal Control over External Financial Reporting

Guide to the Sarbanes-Oxley Act: IT Risks and Controls. Frequently Asked Questions

Audit Committee Charter

MANDATE OF THE AUDIT COMMITTEE FOUNDERS ADVANTAGE CAPITAL CORP.

Impact of New Internal Control Frameworks

Report on Inspection of PricewaterhouseCoopers LLP (Headquartered in New York, New York) Public Company Accounting Oversight Board

AUDIT REPORT. Federal Energy Regulatory Commission's Fiscal Year 2014 Financial Statement Audit

January Sample audit committee charter

Phase II of Compliance to the Policy on Internal Control: Audit of Entity-Level Controls

ACCA P1 Internal Control. incorporated into Combined code, it was last revised in 2005 and still present as a standalone document.

The Changing IT Risk Landscape Understanding and managing existing and emerging risks

A LAYPERSON S GUIDE INTERNAL CONTROL OVER FINANCIAL REPORTING (ICFR)

FINANCIAL AND REPORTING PRINCIPLES AND DEFINITIONS

Lorman Education - September 21, 2015 Sarbanes-Oxley Compliance: What Accountants Need to Know Now. Presented by: Robert F. Dow, Esq.

February Audit committee performance evaluation

Internal Financial Controls

How To Set Up A Committee To Check On Cit

BOTTOMLINE TECHNOLOGIES (DE), INC. AUDIT COMMITTEE CHARTER

MATTEL, INC. AMENDED AND RESTATED AUDIT COMMITTEE CHARTER

Audit of Financial Management Governance. Audit Report

AUDIT COMMITTEE CHARTER of the Audit Committee of SPANISH BROADCASTING SYSTEM, INC.

Audit of Financial Reporting Controls

Advisory services. Services beyond the audit

EFFECT OF THE SARBANES-OXLEY ACT OF 2002

TECK RESOURCES LIMITED AUDIT COMMITTEE CHARTER

SEC ISSUES FINAL RULES FOR NEW CEO/CFO CERTIFICATION UNDER SECTION 302 OF THE SARBANES-OXLEY ACT

Chapter 5. Rules and Policies NATIONAL INSTRUMENT CERTIFICATION OF DISCLOSURE IN ISSUERS ANNUAL AND INTERIM FILINGS

AMPLIFY SNACK BRANDS, INC. AUDIT COMMITTEE CHARTER. Adopted June 25, 2015

How To Ensure Internal Control Of Financial Reporting In India


Audit of Policy on Internal Controls: Selected Business Processes

AMERICAN AIRLINES GROUP INC. AUDIT COMMITTEE CHARTER

Sarbanes-Oxley Section 404: Management s Assessment Process

Unit 4 - Audit Committees and their Potential Lessons for The Public Accounts Committee

FS Regulatory Brief SEC Proposes Amendments to Broker- Dealer Financial Reporting Rule

BIO-RAD LABORATORIES, INC. (the Company ) Audit Committee Charter

Information about 2015 Inspections

How To Maintain An Effective System Of Internal Control Over Financial Reporting

Chapter 2 Highlights: M&A and Compliance With The Sarbanes-Oxley Act of 2002

Amended and Restated. Charter of the Audit Committee. of the Board of Directors of. Tribune Publishing Company. (As Amended November 11, 2014)

Information Technology Control Framework in the Federal Government Considerations for an Audit Strategy

Regional Municipality of Wood Buffalo

Impact of the Sarbanes-Oxley Act on the System of Internal Controls and IS Audit

Internal Audit Practice Guide

This is Appendix A: Sarbanes-Oxley and Other Recent Reforms, appendix 1 from the book Governing Corporations (index.html) (v. 1.0).

Fraud Risk Assessment FINAL REPORT

CHARTER OF THE AUDIT COMMITTEE OF THE BOARD OF DIRECTORS OF EVERBANK FINANCIAL CORP

Josephine Mathias. Kenneth J. Horowitz Phone: Ext

Addressing SOX compliance with XaitPorter. Version 1.0 Sept. 2014

CHARTER OF THE AUDIT COMMITTEE OF THE BOARD OF DIRECTORS OF ARMSTRONG FLOORING, INC. ADOPTED AS OF MARCH 30, 2016

Mapping COBIT 5 with IT Governance, Risk and Compliance at Ecopetrol S.A. By Alberto León Lozano, CISA, CGEIT, CIA, CRMA

Keeping the Patient First

QUANTUM MATERIALS CORP. AUDIT COMMITTEE CHARTER

COUPONS.COM INCORPORATED CHARTER OF THE AUDIT COMMITTEE OF THE BOARD OF DIRECTORS

Internal Control Questionnaire and Assessment

COSO 2013 Internal Control Integrated Framework FRED J. PETERSON, PARTNER MOSS ADAMS LLP

Understanding Corporate Governance

SARBANES OXLEY AND IT GOVERNANCE: NEW GUIDANCE ON IT CONTROL AND COMPLIANCE

STANDING ADVISORY GROUP MEETING

Public Sector Pension Investment Board

NORTHERN MICHIGAN LAW ENFORCEMENT TRAINING GROUP AUDITED FINANCIAL STATEMENTS YEAR ENDED DECEMBER 31, 2009

Guide to Pcaob Inspections

AN AUDIT OF INTERNAL CONTROL OVER FINANCIAL REPORTING THAT IS INTEGRATED WITH AN AUDIT OF FINANCIAL STATEMENTS:

Statement of Management Responsibility Including Internal Control Over Financial Reporting

OBSERVATIONS FROM 2010 INSPECTIONS OF DOMESTIC ANNUALLY INSPECTED FIRMS REGARDING DEFICIENCIES IN AUDITS OF INTERNAL CONTROL OVER FINANCIAL REPORTING

Hedge fund launch considerations Reaching new boundaries. Investment Management

Getting to strong Leading Practices for value-enhancing internal audit By Richard Reynolds and Abhinav Aggarwal - PricewaterhouseCoopers LLP

CHARTER FOR THE AUDIT COMMITTEE OF THE BOARD OF DIRECTORS SIGMA DESIGNS, INC. (As adopted by the Board of Directors effective as of May 2010)

Audit Committee Charter

WELLTOWER INC AUDIT COMMITTEE CHARTER

Addressing Disclosures in the Audit of Financial Statements

STANDING ADVISORY GROUP MEETING

Sarbanes-Oxley Control Transformation Through Automation

Audit Quality Thematic Review

HALOZYME THERAPEUTICS, INC. CHARTER OF THE AUDIT COMMITTEE OF THE BOARD OF DIRECTORS ORGANIZATION AND MEMBERSHIP REQUIREMENTS

Independent Auditors Report

FIRST CITIZENS BANCSHARES, INC. FIRST-CITIZENS BANK & TRUST COMPANY CHARTER OF THE JOINT AUDIT COMMITTEE

The auditors responsibility to consider fraud in an audit of financial statements

Transcription:

Public Sector CEO/CFO Certification. December 12, 2007 Presenter: Nancy Rector, Partner Deloitte & Touche LLP Ottawa Tyler Held, Senior Manager Deloitte & Touche LLP Halifax

Table of Contents Background What is CEO/CFO Certification? Certification and Related Initiatives in the Public Sector some examples A How-To Guide An Approach to CEO/CFO Certification Lessons Learned Questions Contact Us 1 Public Sector CEO/CFO Certification

Background: What is CEO/CFO Certification? 2 Purlic Sector CEO/CFO Certification

Certification Background CEO/CFO CERTIFICATION REQUIREMENTS PRIVATE SECTOR As a result of several business failures in the U.S., requirements for CEO/CFO Certification ( Certification ) on internal controls over financial reporting were established. Similar requirements have been established in Canada. The certification regulations require CEOs and CFOs to personally certify that, among other things: the Company s annual and interim filings do not contain any misrepresentations or omit to state any material facts; the financial statements and other financial information in the annual and interim filings fairly present the financial condition, results of operations and cash flows for the relevant time period; the Company has designed disclosure controls and procedures and evaluated the effectiveness of such disclosure controls and procedures; the Company has designed internal controls over financial reporting, evaluated their effectiveness, and disclosed any material weaknesses ; and, the Company has disclosed material changes in internal controls over financial reporting. Objectives include: Restoring public trust and confidence in public securities markets; Improving corporate governance and promoting ethical business practices; Enhancing transparency and completeness of financial statements and disclosures; Ensuring that company executives are aware of material information emanating from a well-controlled environment; Holding company management accountable for material information that is filed with the regulators and released to investors; and, Achieving new levels of corporate excellence. 3 Public Sector CEO/CFO Certification

Certification Background FOUR MAJOR AREAS OF IMPACT Impact on Audit Committees Responsibilities, Independence, Financial Literacy, AC Financial Expert Impact on Auditors Regulation of Audit Firms New Independence Standards Impact on Management Continuous Disclosure Obligations CEO/CFO Certification Internal Control Reporting Penalties Larger fines and jail terms Disgorgement More commitment to enforcement Civil liability for disclosures in secondary markets 4 Public Sector CEO/CFO Certification

Certification Background SCOPE OF CERTIFICATION The controls subject to assessment include: Controls over initiating, authorizing, recording, processing and reporting significant accounts and disclosures and related assertions included in the financial statements; Controls related to the initiation and processing of non-routine and nonsystematic transactions, such as accounts involving judgments and estimates; Controls related to the selection and application of appropriate accounting policies that are in accordance with the issuer s GAAP; Anti-fraud programs and controls; Controls, including information technology general controls, on which other controls are dependent; Controls over the period-end financial reporting process, including controls related to journal entries; and Controls that have a pervasive impact such as those within the control environment. 5 Public Sector CEO/CFO Certification

Certification Background HOW CERTIFICATION IS DIFFERENT FROM EXTERNAL/INTERNAL AUDIT Certification is a management-owned process: For most organizations, while management may be confident in their financial reporting and related internal controls, they often have no documented evidence and have done no assessment of the design and/or operating effectiveness of their internal controls. In today s environment, solely relying on the results of audits is seen as inadequate ownership by management for the organization s internal controls. Certification represents an on-going compliance monitoring program that is owned by management (not auditors) which is focused on ensuring that internal controls over financial reporting are operating as intended. It provides management with documented evidence of the appropriateness of the design and operating effectiveness of the organization s internal controls over financial reporting. 6 Public Sector CEO/CFO Certification

Background: Certification in the Public Sector 7 CEO/CFO Certification

Control Focus at Canadian Federal Government Level BACKGROUND Origins of the issue: Private sector business failures and regulatory response; Government scandals and increased visibility of Auditor General comments; A new environment (don t just sign representations lightly anymore); and, Restoring Trust and Accountability theme. Converging control-based requirements as a result of: TBS Crown corporation governance review (exploring a certification regime) February 2005; Renewed interest in 2007 and Guidance is currently being developed. New Internal Audit Policy (renewed focus on risk and controls), effective April 2006; Departmental F/S audit requirement (requirement for control reliance); MAF assessments (expected practices and controls); and, Draft Financial Management Policy Framework expected to be implemented soon. 8 Public Sector CEO/CFO Certification

Control Focus at Canadian Federal Government Level PROPOSED INTERNAL CONTROL POLICY New Financial Management Policy Framework: Supports the Government s direction to strengthen financial management across the public service; Supports the re-establishment of the Office of the Comptroller General; Translates the CFO Model into policy terms; and 5 Core Financial Management Policies (one focusing on internal control). Policy on Internal Control (Draft) Deputy Head responsible for extended risk management and the system of internal control; CFO responsible for core risk responsibilities related to financial systems, records, reporting and financial controls, including all financial controls in programs; and ADMs responsible for core risk responsibilities related to program systems, records, reporting, and for the implementation and operation of financial controls. 9 Public Sector CEO/CFO Certification

Control Focus at Canadian Federal Government Level DRAFT POLICY On INTERNAL CONTROL (CONT D) Deputy Head as the Accounting Office will provide an annual Statement on Internal Control (SIC): Confirmation that the effectiveness of the system of internal control has been reviewed, including controls over financial reporting; Confirmation that the results of the effectiveness review have been discussed by the Deputy Head with the Audit Committee; and Necessary actions have been or are being taken to remedy significant failings or weaknesses with respect to internal control. Deputy Head will obtain assurances and evidence to support SIC via: Audit Committee Review of risk management and management control framework matters; Chief Audit Executive Various internal audits and annual opinion on effectiveness and adequacy of risk management, control, and governance; Chief Financial Officer CFO Statement of Internal Control for financial controls and internal controls over financial reporting; and ADMs Stewardship Representations (SIC-like) for all controls within their purview. Comptroller General will provide Treasury Board with a Governmentwide Statement on Internal Controls. 10 Public Sector CEO/CFO Certification

Control Focus at Canadian Federal Government Level CROWN CORPORATION CERTIFICATION IN CANADA The Treasury Board of Canada Secretariat (TBS) undertook a comprehensive assessment of the governance of Crown corporations in 2004 and produced a report to Parliament entitled Review of the Governance Framework for Canada s Crown Corporations in February 2005. The review identified 31 measures for improving the governance of Crown corporations. Under the context of Reporting Making Transparency and Accountability Come to Life, TBS s review addressed certification for Crown corporations and stated the following: Measure #24: In principle, the government supports the use of a certification regime adapted to the reality of public institutions. The Treasury Board of Canada Secretariat will examine, in consultation with Crown corporations, the development of a certification regime that would be applicable to all Crown corporations. TBS is currently exploring how the certification regime will move forward. Their current efforts are focused on developing guidance for Federal Crowns corporations. 11 Public Sector CEO/CFO Certification

For Departments.a view of the Lay of the Land Requirements being driven by existing processes, new policy and directives, and draft policies New TB Policies Draft TB Policies Fed AA / FAA Accounting Officer may be called before PAC to answer questions on a range of topics Accounting Officer Compliance with policy, procedures System of Internal Control [financial & non-financial] Signing of Accounts In Process Policy on Internal Audit -CAE Holistic Opinion -Directive on Departmental Audit Committees MAF Assessments Financial Statement Audit Readiness -Internal control-based audit Integrated Risk Management (Guidance) MRRS Policy Overlap Planned Policy on Internal Audit -Draft Core Management Controls Draft Financial Management Policy Framework -Policy on Internal Control (Management attestation, DH sign-off) -Financial Management & Governance -Resource Management -Financial Information & Reporting -Financial Systems Draft Policy on Evaluation Leverage Documented Evidence and Assessment Although the requirements have been introduced as separate initiatives, there are recurring themes 12 Public Sector CEO/CFO Certification

Control Focus at Canadian Federal Government Level RECURRING THEMES EMERGING REQUIREMENTS RECURRING THEMES Departmental Financial Statement Audit Requirement New Internal Audit Policy Management Accountability Framework Assessments Upcoming Financial Management Policy Framework Increased Focus on Ensuring Effectiveness and Adequacy of Risk Management, Control and Governance Processes Greater Emphasis on Quality of Financial Reporting and Disclosures Enhanced Expectations for Opinions on State of Controls and Financial Results Exploration of Crown Corp Certification 13 Public Sector CEO/CFO Certification

Recurring Themes Observed Almost all organizations have internal controls in place and many would say that they are comfortable and confident that they are appropriate and operating effectively. In today s environment, solely relying on the results of external and internal audits is seen as inadequate ownership by management for the organization s internal controls. Demonstrating an effective control environment by Management requires: Documentation of the organization s controls; and, Visibility into the effectiveness of control activities. 14 Public Sector CEO/CFO Certification

U.S. Federal Government Internal Control Requirements In light of the new internal control requirements for publicly-traded companies, in December 2004, the Office of Management and Budget of the United States Federal Government issued revised requirements to its 24 largest federal government agencies related to management s responsibility for internal control. The stated purpose of the revised requirements was to improve the accountability and effectiveness of federal programs and operations by establishing, assessing, correcting and reporting on internal control. The revised requirements, effective in fiscal year 2006, defined management s responsibility related to internal control, the process for assessing internal control effectiveness, internal control standards, and new specific requirements for conducting management s assessment of the effectiveness of internal control over financial reporting. The U.S. federal government requirements are extremely similar to private sector certification requirements (except that an independent audit on management s certification is not required). 15 Public Sector CEO/CFO Certification

A How-To Guide: An Approach to CEO/CFO Certification 16 CEO/CFO Certification

Certification Background CERTIFICATION - LINKING SENIOR MANAGEMENT/ GOVERNANCE TO CONTROL ACTIVITIES Almost all organizations have internal controls over financial reporting in place; and many would say that they are comfortable and confident that the controls are appropriate and operating effectively. The effectiveness of senior management s oversight of the internal control structure is typically hindered because there is inadequate: Linkage between senior management s governance activities and the organization s control activities; Documentation of the organization s control framework (i.e. the control activities that are in place); and, Visibility into the effectiveness of control activities. The missing link is a compliance program and infrastructure to measure and monitor the effectiveness and alignment between corporate governance and business unit/functional control activities to provide a basis for management s assertion about the effectiveness of internal controls. 17 Public Sector CEO/CFO Certification

Starting Point Decomposing Financial Statements Business Process Controls Covering significant business processes identified from Financial Statement analysis Application Controls Accuracy; Completeness; Validity; Authorization; Segregation of duties; Etc. General Computer Controls Program development Program changes Program operations Access control Control environment Significant Significant Accounts Accounts in the in Financial Statements Balance Sheet Business Processes / Classes / Classes of of Transactions Process A Application A Income Statement SCFP Process B Financial Applications Application B IT Infrastructure Services Database Operating System Network Notes Process C Other Application B Entity-level Controls Control Environment Risk Assessment Information & Communication Etc. 18 Public Sector CEO/CFO Certification

Documentation Internal Control Reliability Model Documentation of controls, related policies/procedures, certification approach and certification work performed is a critical requirement for certification Stage 1 Unreliable Stage 2 Insufficient Stage 3 Reliable Stage 4 Optimal Characteristics Controls and related policies and procedures are not in place and documented. A disclosure creation process does not exist. Employees are not aware of their responsibility for control activities. The operating effectiveness of control activities is not evaluated on a regular basis. Control deficiencies are not identified. Controls and related policies and procedures are in place but not fully documented. A disclosure creation process is in place but not fully documented. Employees may not be aware of their responsibility for control activities. The operating effectiveness of control activities is not adequately evaluated on a regular basis and the process is not fully documented. Control deficiencies may be identified but are not remediated in a timely manner. Controls and related policies and procedures are in place and adequately documented. A disclosure creation process is in place and adequately documented. Employees are aware of their responsibility for controls activities. The operating effectiveness of control activities is evaluated on a periodic basis (e.g., quarterly) and the process is adequately documented. Control deficiencies are identified and remediated in a timely manner. Meets all of the characteristics of Stage 3. An enterprise-wide control and risk management program exists such that controls and procedures are documented and continuously reevaluated to reflect major process or organizational changes. A self-assessment process is used to evaluate the design and effectiveness of controls. Technology is leveraged to document processes, control objectives and activities, identify gaps, and evaluate the effectiveness of controls. Implications Insufficient documentation to support management s certification and assertion. Level of effort to document, test, and remediate controls is significant. Insufficient documentation to support management s certification and assertion. Level of effort to document, test, and remediate controls is significant. Sufficient documentation to support management s certification and assertion. Level of effort to document, test, and remediate controls may be significant depending on the company s circumstances. Implications of Stage 3. Improved decision-making because of high-quality, timely information. Efficient use of internal resources. Real-time monitoring. 19 Public Sector CEO/CFO Certification

Summary Certification Readiness Roadmap Business Value 2. Perform Risk Assessment 1. Plan & Probability & Scope Impact to business Financial Size / complexity reporting process Supporting systems Consider longterm sustainability 3. Identify Significant Controls Entity, Process, Application, IT General Controls 8. Document Process & Results Coordination with Auditors Internal sign-off Independent sign-off 5. Evaluate Control Design Mitigates control risk to an acceptable level Understood by users 4. Document Controls Policy manuals Procedures Narratives and control matrices Flowcharts Configurations Assessment questionnaires 9. Build Sustainability Internal evaluation External evaluation 6. Evaluate Operational Effectiveness Internal audit Technical testing Self assessment Inquiry + All locations and controls (annual) 7. Identify & Remediate Deficiencies Significant deficiencies Material weakness Remediation Internal Control Compliance 20 Public Sector CEO/CFO Certification

Select a Suitable Internal Control Framework COSO FRAMEWORK The de facto standard for most organizations undertaking certification programs has been the COSO control framework. COBIT A MODEL FOR GENERAL COMPUTER CONTROLS The IT Governance Institute has recently published updated guidance for IT professionals on how to address Sarbanes-Oxley from an IT perspective using COBIT. 21 Public Sector CEO/CFO Certification

A How-To Guide: Lessons Learned 22 CEO/CFO Certification

Lessons Learned A few hazards that should be recognized on the compliance journey include: Jumping in quickly to document processes without a plan; Shallow and narrow approaches; Aversion to undertaking risk assessment; Mergers, Acquisitions & Subsidiaries - Clashing cultures; Not involving/addressing IT adequately; Inadequate attention to outsourced service providers; Lack of senior management and Board buy-in/engagement; Inadequate project management support; Insufficient involvement of external auditors; and, Inadequate consideration of long-term sustainability. 23 Public Sector CEO/CFO Certification

Questions 24 CEO/CFO Certification

Contact Us Nancy Rector, Partner Deloitte & Touche LLP Telephone: 613 751-5345 Email: nrector@deloitte.ca Tyler Held, Senior Manager Deloitte & Touche LLP Telephone: 902 496-2744 Email: tyheld@deloitte.ca 25 Public Sector CEO/CFO Certification

Deloitte, one of Canada's leading professional services firms, provides audit, tax, consulting, and financial advisory services through more than 7,600 people in 56 offices. Deloitte operates in Québec as Samson Bélair/Deloitte & Touche s.e.n.c.r.l. The firm is dedicated to helping its clients and its people excel. Deloitte is the Canadian member firm of Deloitte Touche Tohmatsu. Deloitte refers to one or more of Deloitte Touche Tohmatsu, a Swiss Verein, its member firms, and their respective subsidiaries and affiliates. As a Swiss Verein (association), neither Deloitte Touche Tohmatsu nor any of its member firms has any liability for each other's acts or omissions. Each of the member firms is a separate and independent legal entity operating under the names "Deloitte," "Deloitte & Touche," "Deloitte Touche Tohmatsu," or other related names. Services are provided by the member firms or their subsidiaries or affiliates and not by the Deloitte Touche Tohmatsu Verein.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information