Accountability in the Public

Sector
SOx Implementation at the CBC
Annual IPAC Conference
Charlottetown, PEI
August 28, 2006

Richard Harris, FCA

(416) 777-3367
rmharris@kpmg.ca

Stéphane Rivest
(613) 288-6095
Stephane_Rivest_OTT@Radio-Canada.ca
Mark MacDonald, Ph.D.
(416) 777-8290
markmacdonald@kpmg.ca

PRESENTATION
Outline
I. Performance and Accountability – Managing for Results

II. Canada – USA Comparison

III. What is SOx?

IV Elements of ICOFR
Control frameworks
A typical project

V. Case Study – SOx Implementation at the CBC

VI. Questions and Discussion

PRESENTATION 2
 I. Performance and
Accountability –
Managing for Results

PRESENTATION 3
Managing Risk & Enhancing Value

Why implement performance and accountability measures?

To more effectively define and understand policy and program objectives
To more effectively allocate resources
To more effectively manage for results
To meet new accountability expectations

Performance and accountability are inextricably linked

For public managers, the overarching objective is to:

Manage risks
Enhance value

PRESENTATION 4
Why new accountability expectations?

To satisfy a knowledgeable and skeptical public

To find out about results, as linked to public spending/activity

To find out about the complete range of management responsibilities

Financial
Value-for-money
Delivery of results

To secure the trust and confidence of the public

To satisfy democratic requirements

PRESENTATION 5
Why manage for results?

Respond to fiscal pressure

Improve effectiveness/efficiency
Do the right things
Do them in the right way

Meet new accountability expectations

Improve public policy decision-making

Deliver better results for citizens and taxpayers

PRESENTATION 6
What changes when you manage for results?

Achieve clarity about public and organizational objectives

Establish a new management culture

Focus on risk management

Establish new/different control systems

Measure performance (results)

Results-based budgeting

PRESENTATION 7
What happens when managing for results is
adopted?
Renew focus on core services

Achieves greater clarity about core objectives

Identifies opportunities for alternative service delivery

Enhances utilization of shared services

Enhances budgetary and performance management

Enhances public accountability

PRESENTATION 8
II. Canada – USA Comparison

PRESENTATION 9
U.S. Environment
Wave of corporate financial scandals in the United States including:
Enron
Tyco
Worldcom
Aldelphia

Caused by:
Improper activity, including misrepresentation and fraud
Off balance sheet activity, coupled with inadequate disclosure for the
average investor

Resulting in:
Erosion of public trust in corporations and capital markets in the United
States
Introduction of Sarbanes-Oxley Act (2002)

PRESENTATION 10
Impact on Public Companies
Internal Control Over Financial Reporting (ICOFR)
document
test
identify and correct deficiencies
report/certify
audit/attest

Compliance Requires a Significant Undertaking

time
money
focus

Affect on public-sector?
What is good for the regulated, is good for the regulator

PRESENTATION 11
United States Government
What is driving the push toward SOx in U.S. government?
Certain state governments have had a standard agency internal
control certification requirement in place for a long time
This standard was not very rigorous – unlike SOx, it does not follow
the COSO framework, little documentation or testing is required
New York State law now requires public authorities to adopt internal
control certification. However, an audit opinion is not required
In addition, at least 13 states are considering laws applying SOx-
type regulations to NFPs. California has already enacted its own
version of the corporate governance law for non-profits, the
Nonprofit Integrity Act, which went into effect in January, 2005
Members of congress and representatives of federal government
agencies started discussions in 2003 that have led the Office of
Management and Budget to establish a SOx-like requirement for
2006 – management certification, but no external audit opinion.

PRESENTATION 12
United States Government
Early Implementation of SOx
Federal Agencies
US Postal Service
Pension Benefit Guaranty Corp.
Homeland Security

State Agencies
NY State Public Authorities
Pension Plans
Enterprise Funds/Component Units

Not-For-Profit Sector – Significant Voluntary Adoption

PRESENTATION 13
Canadian Environment
Spending Scandals
Sponsorship, HRDC, departmental expenditures

Trend Toward Special Examinations

Value for money, program evaluations

Public Inquiries
Gomery Commission, Krever Commission, Ipperwash Inquiry

Federal Government Agenda

Management Accountability Framework
Federal Accountability Act

PRESENTATION 14
Federal Accountability Act (2006)

Electoral financing reform

Ethics and lobbying

‘Truth in Budgeting’ – Parliamentary Budget Authority

Procurement and government contracting

Real protection for whistleblowers

Strengthening the power of the Auditor General

Strengthening auditing and accountability within departments

PRESENTATION 15
“Accountable, Responsive and Innovative
Government”
Management Accountability Framework

Comptroller General of Canada

Re-establishment

New Internal Audit Policy

April 1, 2006
Includes:
Baseline Qualifications for CAE (Chief Audit Executive)
Adoption of International Standards from the Institute of Internal Auditors
Mandatory QAR (Quality Assessment Review)
Annual assurance statement on governance, risk management and control

Evidence that Canadian Federal Government is moving towards a ‘strong

accountability’ regime, including ‘SOx-like’ measures

PRESENTATION 16
III. What is SOx?

PRESENTATION 17
SOx in the Public Sector
The Public Company Accounting Reform and Investor Protection Act of 2002
(Sarbanes-Oxley Act), signed into law on July 30, 2002, requires:
Section 302 – management to prepare a certification statement that accompanies the
financial statements
Section 404 – every annual report of public companies to include an internal control
report from management

“The two Sarbanes-Oxley sections that would be most relevant to the

public sector are Sections 302: “Corporate Responsibility for Financial
Reports” and Section 404: “Management Assessment of Internal Controls”

John Radford, State Controller (Oregon)

In Canada
Bill 198 (Ontario)
Multilateral Instrument 52-109 – Canadian Securities Administrators
No audit requirement

PRESENTATION 18
SOx in the Public Sector
Some jurisdictions are starting to introduce mandatory requirements and
others are adopting SOx or SOx-like initiatives on a voluntary basis

Trends in other jurisdictions could motivate similar action in Canada

Applying the rigor of Sarbanes-Oxley like provisions could require some

significant enhancement or remediation in controls that support external
reporting – including performance measurement reporting

PRESENTATION 19
United States Government

Regulatory Framework
The Federal Manager’s Financial Integrity Act of 1982 (FMFIA) requires the
heads of the 23 CFO Act agencies to annually evaluate and report on the
agency’s systems of internal accounting and administrative control
FMFIA directs the Office of Management and Budget (OMB) to establish
guidelines for the evaluation by agencies of their systems of internal
accounting and administrative control
Those guidelines are now set forth in OMB Circular A-123, Management
Accountability and Control, which define internal control using components
contained in the COSO guidance, which is the internal control framework
used most often by public companies that are subject to SOx section 404
(management assessment of internal controls)

PRESENTATION 20
United States Government

Internal Control Certification:

Revised OMB A-123: Sample Assurance Statement?
Fiscal Year 2XXX
Annual Assurance Statement on Internal Control over Financial Reporting
The [Agency’s] management is responsible for establishing and maintaining effective internal
control over financial reporting, which includes safeguarding of assets and compliance with
applicable laws and regulations. The [Agency] conducted its assessment of the
effectiveness of the [Agency’s] internal control over financial reporting in accordance with
OMB Circular A-123, Management’s Responsibility for Internal Control. Based on the results
of this evaluation, the [Agency[ can provide reasonable assurance that the internal control
over financial reporting as of June 30, 2XXX was operating effectively and no material
weaknesses were found in the design or operation of the internal controls over financial
reporting.

___________________________
Head of Agency

PRESENTATION 21
Pros – of adopting SOx-like measures in the PS

“Taxpayers” money should be subject to the same controls that of

investors (improve the confidence of citizens over use of taxpayer funds)

Process Improvements:
Eliminate ineffective or duplicative controls
Identify and remediate

Enhance executive level accountability and responsibility for financial

reporting

To improve the accuracy and reliability of financial information used by

managers to run the business of government

PRESENTATION 22
Cons – of adopting SOx-like measures in the PS

Cost benefit isn’t proven – spending dollars to chase dimes

Let the commercial world shake out the problems – there is “push-back”
in the private sector

Increase in material weaknesses, requiring remediation

Must allow plenty of time for management to complete an internal-self

review, before subjecting to audit

Risks and objectives of a government entity differ from those of a

commercial enterprise

PRESENTATION 23
IV. Elements of ICOFR
 Control frameworks
 A typical project

PRESENTATION 24
Control Frameworks
Consideration of alternate control frameworks, not just COSO:
Nothing specific is dictated, in terms of acceptable frameworks
COSO is the most elaborative internal control framework, and the choice of the
private sector in the USA
Others: • Financial capability model (AG model)
• Capacity check (TB)
• Cadbury
• COCO (CICA)
• GAO Green Book (USA)
• OMB A-123 (USA
• COBIT

PRESENTATION 25
Control Frameworks

Evaluation must be based on a recognized control framework

COSO is the “de facto” standard

Virtually all organizations seeking to comply with SOx are using it
More detailed than a standard like COCO
Firms like KPMG are integrating our methodology around COSO

Conclusion: use COSO,

COSO or be prepared to demonstrate that the framework
used reasonably aligns with COSO (N.B. Some public sector organizations that
have embraced control risk self assessment may be using COCO and it may be
easier to continue to use this framework)

PRESENTATION 26
COSO Framework

Overview of COSO Framework

1. Control Environment - The control

environment sets the tone of an
organization, influencing the control
consciousness of its people
2. Risk Assessment – Every entity faces a
variety of risks from external and internal
sources that must be assessed both at
the entity and the activity level
3. Control Activities – The policies and
procedures that help ensure management
directives are carried out
4. Information and Communication –
Pertinent information must be identified,
captured and communicated in a form and
timeframe that supports all other control
components
5. Monitoring – Internal control systems
need to be monitored – a process that
assesses the quality of the system’s
performance over time
All five components must be in place for a control to be effective

PRESENTATION 27
A Typical project

Plan and Scope Develop and communicate a comprehensive plan which clearly outlines
1 the Evaluation the project scope, approach, milestones and resource needs will serve
as the foundation for a successful initiative.

2 Document Controls Document the design of significant internal controls for processes.

Evaluate Design & Evaluate design and operating effectiveness of internal control over
3 Operating financial reporting and document results of evaluation.
Effectiveness

Identify & Correct Identify, accumulate, and evaluate design and operating control
4 Deficiencies deficiencies; communicate findings and correct deficiencies.

Prepare management’s written assertion on the effectiveness of

5 Report on Internal
Control
internal control over financial reporting.

6 Audit of Internal
Control
Prepare for the auditor to conduct the internal control audit

PRESENTATION 28
V. Case Study - CBC

PRESENTATION 29
Vision of the Project

Demonstrate that CBC/Radio-Canada is a well managed company by being

proactive in the area of internal controls

Develop control framework, in order to evaluate the effectiveness of

internal controls as well as to document internal controls

Give Senior Management adequate tools in order to attest on effectiveness

of internal control over financial statements

PRESENTATION 30
Scope of the Project

The internal controls project includes

Documentation and evaluation of financial processes and internal controls
over financial statements
Documentation and evaluation of financial processes and internal controls
over financial statements impacted by the Vision project
Documentation of Information Technology (IT) general controls

PRESENTATION 31
CBC’s approach

Plan and scope

Engaged KPMG as Subject Matter Advisors to provide expert advice and
assistance to the project
Utilized the basis of KPMG’s methodology and adapted it to CBC’s
requirements
Through a risk and significance ($) assessment, identified processes and
business locations to be included in the project

Document
Opted for narrative process documentation with control matrices (no flow
charts)
Review of control matrices to retain only key controls

PRESENTATION 32
CBC’s Approach

Evaluate and correct

Review process documentation and control matrices to identify gaps and
remediation requirements and to plan control testing
Correct deficiencies
Test controls
Correct gaps identified in testing

Report
Report on effectiveness of Internal Controls

PRESENTATION 33
Critical Success Factors
Active involvement of a steering committee and senior executives to set
the tone and critical importance of the Project, necessary to obtain
commitment throughout the organization
Establishment of a dedicated, adequately resourced project team, led by a
senior executive throughout the duration of the Project, with adequate
skills, controls experience and clearly defined roles
Early communications of Project objectives, scope, approach and
responsibilities for delivery of all aspects of the project – and in
particular, the overriding responsibility of the individual business areas to
achieve compliance with the new control requirements
Selection and tailoring of an appropriate methodology, automated tools
and training programs to ensure a high level of quality and consistency
across all business areas
Establishment of adequate processes to track and manage issues, risks
and changes, as well as maintaining ongoing documentation of benefits
Ability of the Project approach and work plan to adapt as required
Focus of project efforts on those business areas and processes that have
the potential of large financial risk to the organization

PRESENTATION 34
Status and Next Steps

Status
Completed documentation and assessment
Next steps
Complete documentation of Vision project ICFR
Create testing and remediation plan (on-going)
Test and remediate (Sept-Feb)
Report (Feb-Mar)
Create sustainment plan (Sept-Oct)

PRESENTATION 35
Challenges

Resource contention
New projects
Other project changes and delays
Sustainment activities

PRESENTATION 36
VI. Questions and Discussion

PRESENTATION 37