No audit? No problem!

First published 24 March 2006.

Cooking the books just got easier

The Ontario Securities Commission just dumped internal control audit requirements for Canadian public companies, as Professor Steve Salterio wrote in Tuesday’s Financial Post:

    On Friday March 10, 2006, the Ontario Securities Commission (OSC) decided that investors in Canadian public companies would be second-class citizens in the post-Enron era. The OSC (through the Canadian Securities Administrators) decided to dump its proposal to require Canadian public companies to provide an audit report on the effectiveness of their internals controls over financial reporting. In its place, it announced a toothless requirement for the chief executive officer and the chief financial officer to certify they have such effective controls.

    — Steve Salterio, “SOX for Canada: Investors in Canadian public companies should not be denied the U.S.-style accountability provided by Sarbanes Oxley
Financial Post, 21 March 2006

Just a quick and overly-simplified primer here, so you know how the system works.  Companies whose shares are publicly-traded on Canadian stock exchanges have to release regular financial statements to their investors and the OSC.  These statements are vetted by an external auditor who is supposed to examine not just the financial statements, but the accounting processes and financial controls of the publicly-traded company.  The auditor also offers an opinion as to the soundness and integrity of the internal controls.  This opinion in turn helps investors gauge the accuracy of the company’s financial statements, and can have an effect on the desirability (or undesirability) of the publicly-traded company’s shares.

The push for greater accountability began in earnest with the Sarbanes-Oxley Act of 2002 (a.k.a SOX), which was the US Congress’ reaction to dodgy accounting practices covered up by executive malfeasance and negligence — exemplified in the collapse of large, publicly-traded firms like Enron and MCI WorldCom.  Section 404 of SOX requires company executives to assess and report on their firm’s internal financial controls, and also for the company’s auditor to gauge whether management’s assessment was factual and realistic.  A lot of companies complain about SOX 404 requirements being too onerous and expensive.  I think this attitude has sprung up in part because many companies reacted to the legislation in a panic and began keeping minute records of everything — down to every message in the lowliest cube-dweller’s email — instead of the truly significant.

The Ontario Securities Commission adopted similar requirements in their Multilateral Instrument (MI) 52-111.  Part 2 of MI 52-111 specifies management’s responsibility to examine and report on the effectiveness of their internal financial controls, and Part 3 specifies that an external auditor is to evaluate management’s assessment and determine whether that assessment is accurate.  Part 3 also specifies that the firm that prepares the internal control audit must be the same firm that audited the company’s financial statements — so no one can show one set of books and processes to the statements auditor, and another to the control auditor.  Note that the auditor that reviews the financial statements is required to fully examine and comprehend the company’s internal control metrics and processes, whether or not they report on their effectiveness.  Although it seems airtight, understanding another company’s controls and processes can be complex, particularly if it’s a very large firm and you’re just one out of team of a hundred or so accountants assigned to audit that client.

What the OSC has just done (via CSA Notice 52-313) is decline to adopt MI 52-111 — in other words, they have removed the proposed regulatory requirement for the external auditor to report an opinion on the publicly-traded company’s financial controls.  They describe this great leap forward in transparency and accountability in a press release of March 10th:

    Montreal – The Canadian Securities Administrators (CSA) announced today proposals that would require all publicly-traded companies in all Canadian jurisdictions to report on the effectiveness of their internal controls over financial reporting, as early as December 31, 2007.

    After extensive consultation, the CSA has decided not to proceed with an earlier proposal that would have required companies to obtain from their external auditors an audit opinion in respect of management’s evaluation of the effectiveness of internal controls over financial reporting.

    “All members of the CSA have agreed on an effective way to improve the quality, reliability and transparency of financial reporting for investors by requiring disclosure of the effectiveness of the internal controls that support the integrity of financial statements,” said Jean St-Gelais, Chair of the CSA, and President and Chief Executive Officer of Québec’s Autorité des marchés financiers.

Press Release, “Regulators Release Proposals on Harmonized Internal Control Reporting Requirements
Canadian Securities Administrators, 10 March 2006.  [emphasis mine]

Somehow the first paragraph and the middle paragraph don’t quite say the same thing, do they?  The OSC will require companies to report on the effectiveness of their internal controls… but not through an independent auditor.  How will this effectiveness be gauged?  Through management, as outlined in CSA Notice 52-313:

    After careful consideration of the feedback received and recent developments internationally, particularly in the US, we propose to expand MI 52-109 to include the internal control reporting requirements discussed below.

  • The CEO and CFO of a reporting issuer, or persons performing similar functions, will be required to certify in their annual certificates that they have evaluated the effectiveness of the issuer’s internal control over financial reporting as of the end of the financial year. They will also be required to certify that, based on their evaluation, they have caused the issuer to disclose in its annual MD&A their conclusions about the effectiveness of internal control over financial reporting as of the end of the financial year.
  • As noted above, the issuer’s annual MD&A will include disclosure regarding its internal control over financial reporting.  This disclosure will include a description of the process for evaluating the effectiveness of the issuer’s internal control over financial reporting and the conclusions about the effectiveness of internal control over financial reporting as of the end of the financial year.

    The issuer will not be required to obtain from its auditor an internal control audit opinion concerning management’s assessment of the effectiveness of internal control over financial reporting.

    The board of directors and its audit committee, in consultation with management, may choose to consider whether they wish to engage the issuer’s auditor to assist in discharging their respective responsibilities for (i) the issuer’s internal control systems and (ii) review and approval of the issuer’s annual MD&A. However, engagement of the auditor will not be a requirement under MI 52-109.

    — Canadian Securities Administrators,
CSA Notice 52-313, 10 March 2006.

Management has the option of hiring a control auditor, but it’s not a requirement.  In other words, we’re back to pre-SOX, pre-Enron methods of gauging a company’s internal controls.  Think about that before you rush out to nab some newly-minted Tim Horton’s shares (TSX: THI) this morning.  All is not lost, however — Professor Salterio addresses the quandary:

    So if SOX 404 is too expensive, and management reporting over internal control effectiveness is unreliable without an audit, and the audit of financial statements does not necessarily provide any assurance directly over internal control effectiveness, then what is a regulator or standard-setter to do? The answer might be simple: Require the auditor to disclose whether he has relied on internal controls in carrying out the audit. Merely add a fourth paragraph to the auditor’s standard unqualified report (technically known as an emphasis of matters paragraph) that states: “Due to the size of XYZ Ltd., there is no regulatory requirement [that management report on the effectiveness of internal controls and] that we audit that report and form an opinion on the effectiveness of internal controls over financial reporting. Due to the [reason inserted here], we have not relied to any material extent on testing the operating effectiveness of internal controls over financial reporting in reaching our opinion on these financial statements.”

Steve Salterio, “SOX for Canada: Investors in Canadian public companies should not be denied the U.S.-style accountability provided by Sarbanes Oxley
Financial Post, 21 March 2006.  [emphasis mine]

I sure hope someone at OSC is listening.

Category: Finance, Industria  Tags:
You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

Comments are closed.