Internal Controls over Financial Reporting FROM INVISIBLE TO VISIBLE

Size: px

Start display at page:

Download "Internal Controls over Financial Reporting FROM INVISIBLE TO VISIBLE"

Rachel Cain
5 years ago
Views:

1 Internal Controls over Financial Reporting FROM INVISIBLE TO VISIBLE 1

2 Agenda Introductions Achieving the benefits from an effective system of internal control over financial reporting The benefits The challenge Make the management of internal controls over financial reporting visible throughout the organization Focus on the benefits of internal controls at all levels of the organization Clarify the governance over internal controls Recognize the difficulties in maintaining an effective system of internal control 2

3 Introductions Orbis Risk Consulting helps clients in the public and regulated / legislated sectors meet their management challenges, deal with risk, take advantage of new opportunities and improve performance. Orbis has extensive experience in risk management, risk and control selfassessment and audit, in the public, private and not for profit sectors, both internationally and domestically. Orbis mission is to equip our clients with knowledge, innovative ideas and transformative solutions, empowering them to make difficult decisions and achieve their goals. We seek to provide fearless advice to our clients, listening to and understanding their needs, and faithfully delivering. We provide trusted relationships with leading experts, supporting excellence in service delivery. 3

Introductions Claire Lake: Kayleigh Phypers: Claire Lake

consulting, financial management and accounting related

development and implementation including assessments,

advisory activities; within private and public sector

Kayleigh is a graduate of McMaster University who focuses

risk and process improvement projects for a variety of

She has been involved in assisting in completing tasks

4 Introductions Claire Lake: Kayleigh Phypers: Claire Lake is the Partner in charge of our Internal Controls and Financial Management practice. She has over 20 years of experience in management consulting, financial management and accounting related services; specifically internal control design, development and implementation including assessments, documentation and testing of internal controls, and other advisory activities; within private and public sector organizations. Kayleigh is a graduate of McMaster University who focuses on financial management consulting and internal controls, risk and process improvement projects for a variety of clients in the public and private sectors. She has been involved in assisting in completing tasks including the development, implementation and testing of internal controls and presenting results of testing to Project Authorities and their management. Orbis ICFR experience includes 4

5 Achieving the Benefits From an Effective System of Internal Control THE BENEFITS AND THE CHALLENGES 5

6 Achieving the Benefits from Internal Controls over Financial Reporting Internal Controls what are they? The history of internal control over financial reporting What are the benefits of internal controls over financial reporting? What are the challenges of ensuring the organization has an effective system of internal controls over financial reporting? 6

7 Internal Control Definition Internal control is broadly defined as a a process, effected by an entity s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives regarding: Effectiveness and efficiency of operations Reliability of financial reporting Compliance with applicable laws and regulations Help achieve performance and profitability targets and prevent loss of resources. Help ensure reliable financial reporting Help to comply with laws and regulations, avoiding damage to reputation and other consequences. It helps an enterprise gets where it wants to go, avoiding pitfalls and surprises along the way. Source: 7

8 The History of Internal Controls Private sector influence Sarbanes-Oxley Act (SOX) 2002 United States federal law that set new or enhanced standards for all public company boards, management and public accounting firms. Top management must certify the accuracy of financial information. It increased the independence of outside auditors that review the accuracy of corporate financial statements and increased the oversight role of the board of directors. Ontario Budget Measures Act (Bill 198) 2003 The Canadian equivalent to SOX to ensure public trust. Amended the Securities Act Ontario which broadened the Ontario Securities Commission powers, increased penalties for non compliance and fraud Canadian Securities Administrators 2004 Issued three rules regarding improving the quality and reliability of reporting disclosure; strengthening the independence and authority of audit committees, and improving public confidence in the integrity of financial reporting of public companies. 8

9 The History of Internal Controls Public sector influence Federal Accountability Act 2006 The act was released to provide specific measures to help strengthen accountability and increase transparency and oversight in government operations. Policy on Internal Control 2009 The policy was released to ensure risks relating to the stewardship of public resources are adequately managed through effective internal controls, including internal controls over financial reporting. 9

10 The History of Internal Controls 2002 Sarbanes- Oxley (SOX) Act 2004 CSA Reform 2009 Policy on Internal Control (PIC) 2003 Ontario Budget Measures Act (Bill 198) 2006 Federal Accountability Act (FedAA) 10

11 Application and Requirements Sarbanes-Oxley Act The SOX Act amends or supplements existing legislation pertaining to securities regulations. The two key provisions of the SOX Act are: Section 302 Senior management is required to certify the accuracy of reported financial statements. Section 404 Management and auditors are required to establish internal controls. They are also required to establish reporting methods on the adequacy of any internal controls established. Ontario Budget Measures Act The Budget Measures Act made amendments to the Ontario Securities act and several other statutes. Keys provisions of the Budget Measures Act: MI Requires that CEOs and CFOs personally sign off on disclosures made in interim and annual filings. MI Requires that auditors be engaged in an independent oversight program established by CPAB MI Requirements for how audit committees are composed and their role of reporting issues 11

12 Application and Requirements Federal Accountability Act mandate is to provide specific measures to help strengthen accountability and increase transparency and oversight in government operations. Major reporting requirement changes Creation of a parliamentary budget authority and ethics commissioner. Reforms made for the financing of political parties and the procurement process. Policy on Internal Control the policy applies to all departments as defined in section 2 of the Financial Administration Act. Major provisions of the Policy on Internal Control Deputy Heads and CFOs are responsible for signing off on the Statement of Management Responsibility Including Internal Control Over Financial Reporting. Which is done to ensure that compliance with the policy and supporting directives and standards are met. Comptroller General of Canada is responsible for ensuring that departments are in compliance with the PIC 12

13 Internal Controls Organization management always seek ways to better control the enterprises they run. Through this they can ensure the organization is on target to meet its goals and objectives, that surprises along the way are minimized. It also allows management to cope with rapidly changing economic and competitive environments, shifting demands and priorities, and restructuring for future growth. Internal controls promote efficiency, reduce the risk of asset loss and help ensure the reliability of financial information and compliance with laws and regulations. As controls are so important to an organization there are increasing calls for better more reliable internal control systems and the ability to provide a report card on them. Internal controls are a solution rather than a problem. 13

14 Internal Controls But assessing, improving and implementing controls is often like pushing on a piece of rope Senior Management may want to have a reliable effective system of internal control but they don t want to hear they have weaknesses or gaps in their current system. Management don t want to hear about internal controls as its often yet another thing they need to think about or report upon. Staff don t want to hear there are rules and regulations they have to obey rather than just getting on with their job. why do I need a credit card limit I just need to be able to purchase the stock I need without someone telling me I can t. 14

15 Internal control what people tend to think Internal Control that s why we have internal auditors? Internal controls are a necessary evil they take time away from our core activities Internal Controls are just functional policies and procedures we don t have to do anything at the program level Internal Control is a finance thing we do what the controllers office tells us to do Internal Controls are essentially negative like a list of thou shalt nots

16 Internal control what it really is. Built into the business processes All areas, regions, levels are owners and operators of controls That s why we need Internal Control! Providing reasonable assurance that organization s, function s and program s objectives will be achieved Integral to every aspect of the business Make the right things happen the first time and every time

17 The Internal Control Framework Internal controls support the organization in its efforts to achieve its strategic and operating goals and objectives At all levels of the organization e.g. divisional, operating, functional To meet its operational, reporting and compliance requirements Monitoring Control Activities Risk Management Assessment Internal Environment * Concepts for the COSO Framework diagram are taken, in part, from the Committee of Sponsoring Organizations of the Treadway Commission (COSO): Internal Control - Integrated Framework and the Enterprise Risk Management Integrated Framework.

18 Implementing an Effective System of Internal Controls over Financial Reporting If internal controls are so good for an organization why is assessing, implementing and developing an effective system internal controls so difficult for an organization to accept? The benefits of internal controls are conceptual and difficult to prove: Successful controls means errors or risks don t materialize There is confusion regarding responsibility for the effectiveness of internal controls It s the responsibility of Finance, its Internal Audit, it s the External Auditors Acceptance of gaps/weaknesses in internal controls is difficult to accept We have the documentation you just didn t look in the right place Support of management wavers We ve got more important things to do Internal Controls are Invisible to organizations 18

19 Making the Invisible Visible HOW TO ACHIEVE A SUCCESSFUL SYSTEM OF INTERNAL CONTROL 19

20 Make the Management of Internal Controls Visible Throughout the Organization Achieving an effective system of internal control is about recognizing the importance of people in the implementation, adoption and management of controls throughout the organization. Our proven approach is to focus on making the management of internal controls over financial reporting visible within an organization Focus on ensuring the benefits of internal controls are really understood and communicated Ensure management of controls is clear throughout the organization Recognize the management of controls is difficult and needs robust change management 20

21 Focus on the Benefits of Controls at All Levels of the Organization THE BURNING PLATFORM 21

Making Internal Controls Meaningful There is often an unrealistic expectations regarding internal controls Internal

It cannot change an inherently poor manager into a good one but it can help spot poor decisions.

Can help an organization achieve its objectives. Can provide reasonable assurance to the management and the board.

22 Making Internal Controls Meaningful There is often an unrealistic expectations regarding internal controls Internal Controls cannot ensure an entity s success. It cannot change an inherently poor manager into a good one but it can help spot poor decisions. Controls cannot stop individuals colluding to circumvent rules and management always has an override ability. Can help an organization achieve its objectives. Can provide reasonable assurance to the management and the board. The likelihood of achievement is affected by limitations inherent in the system e.g. faulty decision making despite the facts being presented, simple errors or mistakes. It can provide management information about progress or lack of progress. 22

Benefits The benefits of maintaining an effective system of internal control focus are often explained in technical terms pitched at the organizational level: compliance to rules and regulations

23 Benefits The benefits of maintaining an effective system of internal control focus are often explained in technical terms pitched at the organizational level: compliance to rules and regulations achieving the organization s objectives But these are esoteric only understood by a small number of people with specialized knowledge and not directly relevant to those who operate controls Why should I care about internal controls? What s in it for me? To ensure success its important to make it real for all of those in the organization Conversation with the Stock Manager Warehouse ICFR Manager: Internal controls are needed to ensure existence, value, completeness so that the asset value in the balance sheet reflects the value of stock held by the company. Stock Manager:??? Try instead ICFR Manager: do you keep track of the type and volume of stock you have in the warehouse to ensure there is enough for operations, to make sure it hasn t been stolen or become outdated? Stock Manager: absolutely here s our stock book ICFR Manager: excellent, can you show me that Speak about internal controls in terms of what makes their jobs easier and impact their outputs 23

24 Benefits The key is to explain benefits at the level appropriate to the person being impacted: Level Impacted Benefits Examples DACC Meeting compliance requirements Clearer understanding of the reliability of financial information Deputy Head Meeting compliance requirements can sign the financial statements with faith in the numbers Improved ability to make fact based decisions Senior Management Reliability of financial information Improved ability to make fact based decisions Ability to identify and implement efficiency and effectiveness requirements Management Assurance that processes are operating as intended Ability to focus attention on other issues as reduced oversight requirements Staff Understanding of where to focus efforts Understanding of critical steps in process Documented process and procedures 24

25 Smart Controls The fear with internal controls over financial reporting for many staff is that it will result in more things to do. Its important to recognize that controls are not about doing more but more about doing the right thing; Excessive Controls Increased bureaucracy Reduced productivity Increased complexity Increased process time Increase of no value activities Internal controls: making the correct actions happen the first time and every time Controls must be implemented thoughtfully, conscientiously and consistently. Good Controls Tips No rubber stamps for work Protect your signature no blank signed forms Question unusual items Ensure supporting documentation is retained Support with recorded policies and procedure 25

Recognize its about smarter controls not more controls Concentrate on the critical steps in the process so you know where resources

26 Benefits Summary Define benefits in terms of position in the organization Regulatory and legislative compliance for the organization Oversight for management and Canadians Reliability of processes and transactions for operating leaders Efficiency for staff Recognize its about smarter controls not more controls Concentrate on the critical steps in the process so you know where resources and efforts should be Reduces rework and errors get it right first time and every time Improves reliability so don t have to keep checking 26

27 Clarify the Governance of Internal Controls INTEGRATE THE MANAGEMENT OF INTERNAL CONTROLS ACROSS THE ORGANIZATION 27

Governance structure for Internal Controls The governance of internal control management needs to be clear, visible and regularly publicized: Clear roles and responsibilities for managing and

28 Governance structure for Internal Controls The governance of internal control management needs to be clear, visible and regularly publicized: Clear roles and responsibilities for managing and operating internal controls defined and communicated throughout the organization Raise the profile of internal controls at the oversight bodies Build internal control status reporting into the management structure 28

29 Clear Roles and Responsibilities An effective system of internal controls over financial reporting is often thought of as the responsibility of Finance and Internal Audit. Legislation helps promote the idea that: Deputy Heads have always had the responsibility to ensure that internal controls are regularly reviewed in the context of risk, ensuring that those internal controls are balanced against and proportional to the risk they mitigate Policy on Internal Control And that this responsibility is delegated to the Chief Financial Officer: The CFO supports the Deputy Head by establishing and maintaining a system of internal control related to financial management including financial reporting and departmental accounts Policy on Internal Control 29

30 Clear Roles and Responsibilities..But ensuring financial information is correctly recognized and that the information is successfully entered into the financial system is often the responsibility of operational staff The Activity - Purchasing and Asset The budget is confirmed to purchase an asset and a commitment is entered into the budget A contract is entered into to purchase an asset Approval of the purchase The asset is purchased and the details of the purchase is recorded e.g. cost, type of asset, volume of asset purchased, date of purchase Approval of the purchase Approval of the recording of the expense Control Responsibility Operational staff The RCM (the Resource Center Manager) Contracting staff ensure the contract is correctly issued Operational staff ensure the contract is managed and the asset received The RCM (the Resource Centre Manager) Operational staff The RCM (the Resource Centre Manager) The Finance Staff 30

31 Clear Roles and Responsibilities To enact an effective system of internal control it is important that roles and responsibilities are clearly defined and communicated throughout the organization: Establish the Governance Structure for the system of internal controls over financial reporting Identify which stakeholders should be involved in managing the system of internal controls Document the roles and responsibilities for operating internal controls over financial reporting Validate roles and responsibilities with management Capture roles and responsibilities for internal control management within operational performance accords Make the assurance regarding the effectiveness of internal controls wider than just an annual statement think about proof of compliance, think about annual self-assessments, think about confirmation about the financial control framework in place. 31

32 Raise the Profile of Internal Controls at the Oversight Bodies Oversight of controls is also not just the responsibility of Finance or the CFO: Other senior departmental managers establish and maintain a system of internal control for their areas of responsibility and within the departmental system of internal control Policy on Internal Control Deputy Heads are provided with independent assurance from internal auditing and advice from the audit committee, regarding the effectiveness of risk management, control and governance processes 32

Senior Management Meeting aligned to the Financial Statements This can result in: Out of date information being presented to management Inability to create a sense of urgency in responding to control

33 Raise the Profile of Internal Controls at the Oversight Bodies Oversight of internal controls often becomes just an annual event Annual statement of effectiveness of internal controls by Management Annual report on the status of the system of internal controls at Departmental Audit Committee aligned to the Financial Statements Annual report on the status of the system of internal controls at Senior Management Meeting aligned to the Financial Statements This can result in: Out of date information being presented to management Inability to create a sense of urgency in responding to control weaknesses Reactive rather than proactive actions taken to respond to changes that impact ICFR or identified weaknesses A weakened message regarding the importance of the system of internal controls to the organization 33

oversight make the status of internal controls a standing agenda item at

system of internal controls from operations Develop a dashboard to

34 Raise the Profile of Internal Controls at the Oversight Bodies To have a successful system of internal control, you need to: Introduce ongoing oversight make the status of internal controls a standing agenda item at senior management meetings and DACC meetings Appoint a Champion for the system of internal controls from operations Develop a dashboard to demonstrate status and progress (mimic Internal Controls management action plans monitoring) 34

35 Build Reporting into the Management Structure Reporting on the system of internal controls is often represented in: Annual statement of status on internal controls over financial reporting by management Annual status report regarding the effectiveness of internal controls aligned to the presentation of financial statements Annual review of status of the effectiveness of internal controls The information presented can be stale, result in reactive action, and sometimes simply lip service 35

36 Build Reporting into the Management Structure Enhancing reporting on the status of internal controls: Allows the importance of the system of internal controls to be reinforced Ensures current information is captured and enacted Identifies where action is needed to strengthen controls or adapt to change proactively Integrate the status of Internal Controls into Ongoing Management and Make the Effectiveness of Internal Controls real for Staff 36

37 Build Reporting into the Management Structure ONGOING MANAGEMENT - Make it a regular item on manager s meetings agendas, what's changed, what's working/not working - Make it active what are we doing to ensure effectiveness.. MAKE IT REAL - Understand the internal control framework; what are the expectations for internal controls - Identify the proof how do we as managers know the controls are in place and working? ONGOING MANAGEMENT - Incorporate it into operational reporting requirements; make it part of an operating dashboard - Financial Status Reporting - Quarterly Reporting - Performance management MAKE IT REAL - Capture the compliance aspect how do we prove the controls are working? - Link to key performance indicators - Evidence requirements 37

38 Recognize maintaining a system of internal controls is difficult UTILIZE CHANGE MANAGEMENT TECHNIQUES FOR SUCCESS 38

Recognize that people drive the success of internal controls Assessing, implementing and managing internal controls needs to recognize the impact on

39 Recognize that people drive the success of internal controls Assessing, implementing and managing internal controls needs to recognize the impact on people Inclusive approach Scoping Assessment Remediation Delivering results Understand the acceptance cycle of change New projects Grieving process 39

40 Inclusive Approach to ICFR 1. Develop stakeholder engagement and communications plans Keep open lines of communication and ensure that all relevant parties are notified of any changes as necessary, understand the assessment and level of effort required 2. Conduct PIC and ICFR assessment activities self assessment, internal and external ELC design and operating effectiveness testing ITGC design and operating effectiveness testing Business process controls assessment 3. Remediation of Controls Ensure the inclusion of Subject Matter Expert to ensure a pragmatic, realistic solution 4. Monitoring and Reporting Employ no surprises approach to ensure that there is consistent flow of two-way communication 5. Action plan and follow-up Engage Stakeholders throughout the process including the development of the action plan and monitoring of plans to make them achievable and reflective of the operating environment Action plans must be engrained into the departmental culture to ensure full acceptance and implementation of the PIC (think RBAP) 40

41 Perception of Change Change Management of ICFR Understanding the process of change when introducing a new project Valley of Despair 41

42 Presenting Results - The Grieving Process Stage How to React What this means for the PIC Denial Anger Bargaining Depression Acceptance Ask what they think will be bad, then ask if there is a possibility something good can come from it. Perhaps hold a team meeting to provide an open forum to discuss things. Often times, uncovering a misunderstanding or fear about the change can help with communication efforts. Understand the frustration and provide a constructive outlet, but one that doesn t negatively impact the team or the culture. Bargaining is creativity turned sideways. Try focusing that creativity on some aspect that is aligned with the new change. It gives people a chance to come to terms with the new reality. This is a perfect opportunity to provide opportunity for this team member to have a voice. When seeking feedback from your team, make sure you ask for their perspective. Get them actively involved with something positive. Getting a quick win on the board for them can help drag them out of the doldrums. Celebrate people s acceptance to the changes taking place. Show genuine gratitude for it and make sure you take the opportunity to connect it with the vision, mission and culture of the organization. The better you celebrate acceptance, the shorter the grieving process when the next change comes along. Communicate change management and communication plans Inform employees about the respective changes and/or assessment results on the PIC Keep it fact based Listen and keep discussion open, this is not a time for overwhelming information Focus creativity on development of pragmatic internal controls, help them be a part of the solution and not the problem Active involvement in quick wins will help the move to acceptance Celebrate successes Celebrate staff moving into the acceptance stage Monitoring and reporting stages can be implemented 42

43 Questions? 43

44 Orbis Risk Consulting 1327A Wellington St. W, 203 Ottawa, ON K1A3B6 44