Sector
SOx Implementation at the CBC
Annual IPAC Conference
Charlottetown, PEI
August 28, 2006
Stéphane Rivest
(613) 288-6095
Stephane_Rivest_OTT@Radio-Canada.ca
Mark MacDonald, Ph.D.
(416) 777-8290
markmacdonald@kpmg.ca
PRESENTATION
Outline
I. Performance and Accountability – Managing for Results
IV Elements of ICOFR
Control frameworks
A typical project
PRESENTATION 2
I. Performance and
Accountability –
Managing for Results
PRESENTATION 3
Managing Risk & Enhancing Value
PRESENTATION 4
Why new accountability expectations?
PRESENTATION 5
Why manage for results?
Improve effectiveness/efficiency
Do the right things
Do them in the right way
PRESENTATION 6
What changes when you manage for results?
Results-based budgeting
PRESENTATION 7
What happens when managing for results is
adopted?
Renew focus on core services
PRESENTATION 8
II. Canada – USA Comparison
PRESENTATION 9
U.S. Environment
Wave of corporate financial scandals in the United States including:
Enron
Tyco
Worldcom
Aldelphia
Caused by:
Improper activity, including misrepresentation and fraud
Off balance sheet activity, coupled with inadequate disclosure for the
average investor
Resulting in:
Erosion of public trust in corporations and capital markets in the United
States
Introduction of Sarbanes-Oxley Act (2002)
PRESENTATION 10
Impact on Public Companies
Internal Control Over Financial Reporting (ICOFR)
document
test
identify and correct deficiencies
report/certify
audit/attest
Affect on public-sector?
What is good for the regulated, is good for the regulator
PRESENTATION 11
United States Government
What is driving the push toward SOx in U.S. government?
Certain state governments have had a standard agency internal
control certification requirement in place for a long time
This standard was not very rigorous – unlike SOx, it does not follow
the COSO framework, little documentation or testing is required
New York State law now requires public authorities to adopt internal
control certification. However, an audit opinion is not required
In addition, at least 13 states are considering laws applying SOx-
type regulations to NFPs. California has already enacted its own
version of the corporate governance law for non-profits, the
Nonprofit Integrity Act, which went into effect in January, 2005
Members of congress and representatives of federal government
agencies started discussions in 2003 that have led the Office of
Management and Budget to establish a SOx-like requirement for
2006 – management certification, but no external audit opinion.
PRESENTATION 12
United States Government
Early Implementation of SOx
Federal Agencies
US Postal Service
Pension Benefit Guaranty Corp.
Homeland Security
State Agencies
NY State Public Authorities
Pension Plans
Enterprise Funds/Component Units
PRESENTATION 13
Canadian Environment
Spending Scandals
Sponsorship, HRDC, departmental expenditures
Public Inquiries
Gomery Commission, Krever Commission, Ipperwash Inquiry
PRESENTATION 14
Federal Accountability Act (2006)
PRESENTATION 15
“Accountable, Responsive and Innovative
Government”
Management Accountability Framework
PRESENTATION 16
III. What is SOx?
PRESENTATION 17
SOx in the Public Sector
The Public Company Accounting Reform and Investor Protection Act of 2002
(Sarbanes-Oxley Act), signed into law on July 30, 2002, requires:
Section 302 – management to prepare a certification statement that accompanies the
financial statements
Section 404 – every annual report of public companies to include an internal control
report from management
In Canada
Bill 198 (Ontario)
Multilateral Instrument 52-109 – Canadian Securities Administrators
No audit requirement
PRESENTATION 18
SOx in the Public Sector
Some jurisdictions are starting to introduce mandatory requirements and
others are adopting SOx or SOx-like initiatives on a voluntary basis
PRESENTATION 19
United States Government
Regulatory Framework
The Federal Manager’s Financial Integrity Act of 1982 (FMFIA) requires the
heads of the 23 CFO Act agencies to annually evaluate and report on the
agency’s systems of internal accounting and administrative control
FMFIA directs the Office of Management and Budget (OMB) to establish
guidelines for the evaluation by agencies of their systems of internal
accounting and administrative control
Those guidelines are now set forth in OMB Circular A-123, Management
Accountability and Control, which define internal control using components
contained in the COSO guidance, which is the internal control framework
used most often by public companies that are subject to SOx section 404
(management assessment of internal controls)
PRESENTATION 20
United States Government
___________________________
Head of Agency
PRESENTATION 21
Pros – of adopting SOx-like measures in the PS
Process Improvements:
Eliminate ineffective or duplicative controls
Identify and remediate
PRESENTATION 22
Cons – of adopting SOx-like measures in the PS
Let the commercial world shake out the problems – there is “push-back”
in the private sector
PRESENTATION 23
IV. Elements of ICOFR
Control frameworks
A typical project
PRESENTATION 24
Control Frameworks
Consideration of alternate control frameworks, not just COSO:
Nothing specific is dictated, in terms of acceptable frameworks
COSO is the most elaborative internal control framework, and the choice of the
private sector in the USA
Others: • Financial capability model (AG model)
• Capacity check (TB)
• Cadbury
• COCO (CICA)
• GAO Green Book (USA)
• OMB A-123 (USA
• COBIT
PRESENTATION 25
Control Frameworks
PRESENTATION 26
COSO Framework
PRESENTATION 27
A Typical project
Plan and Scope Develop and communicate a comprehensive plan which clearly outlines
1 the Evaluation the project scope, approach, milestones and resource needs will serve
as the foundation for a successful initiative.
2 Document Controls Document the design of significant internal controls for processes.
Evaluate Design & Evaluate design and operating effectiveness of internal control over
3 Operating financial reporting and document results of evaluation.
Effectiveness
Identify & Correct Identify, accumulate, and evaluate design and operating control
4 Deficiencies deficiencies; communicate findings and correct deficiencies.
6 Audit of Internal
Control
Prepare for the auditor to conduct the internal control audit
PRESENTATION 28
V. Case Study - CBC
PRESENTATION 29
Vision of the Project
PRESENTATION 30
Scope of the Project
PRESENTATION 31
CBC’s approach
Document
Opted for narrative process documentation with control matrices (no flow
charts)
Review of control matrices to retain only key controls
PRESENTATION 32
CBC’s Approach
Report
Report on effectiveness of Internal Controls
PRESENTATION 33
Critical Success Factors
Active involvement of a steering committee and senior executives to set
the tone and critical importance of the Project, necessary to obtain
commitment throughout the organization
Establishment of a dedicated, adequately resourced project team, led by a
senior executive throughout the duration of the Project, with adequate
skills, controls experience and clearly defined roles
Early communications of Project objectives, scope, approach and
responsibilities for delivery of all aspects of the project – and in
particular, the overriding responsibility of the individual business areas to
achieve compliance with the new control requirements
Selection and tailoring of an appropriate methodology, automated tools
and training programs to ensure a high level of quality and consistency
across all business areas
Establishment of adequate processes to track and manage issues, risks
and changes, as well as maintaining ongoing documentation of benefits
Ability of the Project approach and work plan to adapt as required
Focus of project efforts on those business areas and processes that have
the potential of large financial risk to the organization
PRESENTATION 34
Status and Next Steps
Status
Completed documentation and assessment
Next steps
Complete documentation of Vision project ICFR
Create testing and remediation plan (on-going)
Test and remediate (Sept-Feb)
Report (Feb-Mar)
Create sustainment plan (Sept-Oct)
PRESENTATION 35
Challenges
Resource contention
New projects
Other project changes and delays
Sustainment activities
PRESENTATION 36
VI. Questions and Discussion
PRESENTATION 37