Transcript Assessing Internal Controls - New Imperative

Assessing and Reporting on Internal
Controls: The Implications of
Sarbanes-Oxley and Bill 198
Shelley Tremblay and Peter Laureshen
PricewaterhouseCoopers Presentation to
Petroleum Joint Venture Association (PJVA)
March 16, 2004
PwC
Agenda
• The New Reporting Environment
• U.S. Sarbanes-Oxley Act and Canadian Bill 198 Rules
• Elements of an Internal Control Framework
• Front line Feedback – PwC Survey Results
• Challenges for Oil and Gas Companies
• Conclusions
2
PwC
The New Reporting Environment
3
PwC
What is driving the new reporting
requirements?
The Recent Failures
The Responses
•Dotcoms, Nortel, Cisco
•Enron
•Adelphia
•WorldCom
•Tyco
•Parmalat
•Hollinger
•Mutual Fund Industry
•U.S. Sarbanes-Oxley Act
(2002) or “SOx”
•Canadian Bill 198 and
Multilateral Instrument 52109 (2003) or “CSOx”
4
PwC
What has Changed?
Truth or Consequences!
The penalties for a CEO and/or CFO for providing a false
certification of financial information under the Sarbanes-Oxley Act
are now substantial !
Years in Jail:
a)
b)
c)
d)
e)
1-2 years
3-5 years
10 -20 years
11-14 years
20-25 years
Escaping from prison
Kidnapping involving Ransom
Incorrect SOx Certification
Second Degree Murder
Hijacking
5
PwC
U.S. Sarbanes-Oxley Act and
Canadian Bill 198 Rules
6
PwC
U.S. Sarbanes-Oxley Act (“SOx”)
The U.S. Sarbanes-Oxley Act of 2002 contains 11 Titles and 66 Sections.
Title I – Public Company Accounting Oversight Board. PCAOB formed as
branch of Securities and Exchange Commission (SEC). Public Auditing firms
must register with PCAOB and are now brought under the regulation of the
PCAOB.
Title III – Corporate Responsibility. Section 302 establishes certification
requirements for CEOs and CFOs of Annual and Quarterly reports filed with
the SEC.
Title IV – Enhanced Financial Disclosures. Section 404 (a) requires
management to assess and report on internal controls, and Section 404 (b)
requires the company’s External Auditor to attest to and report on
management’s assertions on internal controls.
7
PwC
PCAOB Auditing Standard for
Attestation of Internal Control Report
On March 9, 2004, the PCAOB adopted “Auditing Standard No.2, An Audit of
Internal Control over Financial Reporting Performed in Conjunction with an
Audit of Financial Statements”, the attestation standard referred to in Section
404(b).
Implementation has been delayed for “Issuers” and “Accelerated Filers” and
is now effective for companies whose fiscal years end on or after November
15, 2004 (original date was September 15, 2003, then June 15, 2004).
For “Foreign Private Issuers” (including most Canadian companies),
implementation is effective for companies with year-ends on or after July 15,
2005.
8
PwC
Canadian Bill 198
In June 2003, the Ontario Securities Commission (“OSC”) and the Canadian
Security Administrators (“CSA”) published for comment three new corporate
governance rules, collectively referred to as Bill 198:
• Multilateral Instrument 52-108 Auditor Oversight
• Multilateral Instrument 52-109 Certification of Disclosure in
Companies' Annual and Interim Filings (“CSOx”)
• Multilateral Instrument 52-110 Audit Committees
Multilateral Instrument 52-109 (CSOx) is basically adopting SOx Section
302 with an emphasis on Disclosure Controls and Procedures (DC&P).
The issue of whether to implement a SOx Section 404 equivalent certification
with an emphasis on Internal Controls over Financial Reporting (ICFR)
and External Auditor attestation has been tabled pending further study.
9
PwC
CSOx Rules - CEO/CFO Certification
Interim Filings – CEO and CFO to certify that they:
• Are responsible for Internal Controls over Financial Reporting (ICFR), and
Disclosure Controls and Procedures (DC&P).
• Have designed Internal Controls over Financial Reporting (ICFR) to
provide reasonable assurance that financial statements are fairly presented
in accordance with GAAP.
• Have designed Disclosure Controls and Procedures (DC&P) to provide
reasonable assurance that material information is made known to them by
others within the issuer and its consolidated subsidiaries.
• Have indicated in the MD&A any changes to Internal Controls over
Financial Reporting (ICFR) that has materially affected, or is reasonably
likely to materially affect, the issuer’s Internal Control over Financial
Reporting.
10
PwC
CSOx Rules - CEO/CFO Certification
Annual Filings – In addition to certification in interim filings, CEO
and CFO to certify that:
• They have evaluated the effectiveness of Disclosure Controls and
Procedures (DC&P).
• They have presented their conclusions on those controls in the annual
MD&A.
Filings to be Certified
• Annual Information Form (AIF), annual financial statements, annual
MD&A, interim financial statements and interim MD&A
11
PwC
CSOx Rules - Implementation
Timeframe
Phased-in approach to meeting requirements:
Instrument comes into force on March 30, 2004. Annual certificates apply
for financial years beginning on or after January 1, 2004.
However, Transitional “Bare Certificate” can be filed for financial years ending on
or before March 30, 2005. The “Bare Certificate” requires that the CEO and CFO
certify that:
• They have reviewed the filings.
• The filings do not include any untrue statement of a material fact or omit to state
a material fact.
• The financial statements along with other financial information, fairly present
financial conditions, results of operations and cash flows.
12
PwC
Summary - Addressing the
Requirements of SOx and CSOx
Disclosure Requirements
LEGEND
Disclosure Controls
and Procedures
Operations
Financial Reporting
Compliance
Internal Controls
over Disclosure
Requirements
Internal
Accounting
Controls
Internal Controls
Over Financial
Reporting
(Including footnotes)
Disclosure Controls and Procedures
Controls and other procedures designed to ensure information required to be disclosed by issuer is recorded,
processed, summarized and reported in a timely manner.
13
PwC
Elements of an Internal
Control Framework
14
PwC
Definitions
Disclosure Controls and Procedures (DC&P)
• Provide reasonable assurance that:
• information required to be disclosed is recorded, processed,
summarized and reported within the time periods required.
• such information is accumulated and communicated to the
issuer’s management, including the CEO and CFO, in order to allow
timely decisions regarding required disclosure.
• Apply to material financial and non-financial information to be included
in public reports so that investors are fully informed.
• Broader than Internal Controls over Financial Reporting (ICFR), and
inclusive of ICFR to the extent it impacts disclosures.
15
PwC
Definitions (cont.)
Internal Control over Financial Reporting (ICFR)
• Provide reasonable assurance on the reliability of financial reporting and
the preparation of financial statements for external purposes in
accordance with GAAP and addresses:
• maintenance of records that accurately and fairly reflect the
transactions and dispositions of the assets of the issuer
• reasonable assurance that transactions are recorded to permit the
preparation of financial statements in accordance with GAAP, and that
receipts and expenditures are made in accordance with authorizations
of management and directors; and
• reasonable assurance regarding prevention or timely detection of
unauthorized acquisition, use or disposition of assets that could
have a material impact on the financial statements.
16
PwC
The Five Components under the
COSO Framework
Monitoring
 Assessment of a control system’s
performance over time.
 Combination of ongoing and
separate evaluation.
 Management and supervisory
activities.
 Internal audit activities.
Control Environment
Information and Communication
• Pertinent information identified,
captured and communicated in a
timely manner.
• Access to internal and externally
generated information.
• Flow of information that allows for
successful control actions from
instructions on responsibilities to
summary of findings for
management action.
• Sets tone of organization-influencing
control consciousness of its people.
• Factors include integrity, ethical values,
competence, authority, responsibility.
• Foundation for all other components of
control.
All five components must be in place
for a control to be effective.
17
Control Activities
• Policies and procedures that
ensure management directives
are carried out.
• Range of activities including
approvals, authorizations,
verifications, recommendations,
performance reviews, asset
security and segregation of
duties.
Risk Assessment
• Risk assessment is the
identification and analysis of
relevant risks to achieving the
entity’s objectives, forming the
basis for determining control
activities.
PwC
Front Line Feedback – PwC
Survey Results
Results from January 22-23, 2004 PwC Survey of 120 SOx 404 Project Leaders
from major corporations attending a Sarbanes-Oxley Conference held in New
Jersey
18
PwC
Front Line Feedback – Snap Shot
1. Nearly 75% of respondents have seen a significant increase in the level of
effort required to comply with SOx 404 as compared to original estimates.
About 1/3 of these saw increases of more than 75%.
2. Respondents reported difficulties in the following areas:
•
•
•
•
•
•
•
•
Level of Testing required
Documentation
Multiple Locations
Evaluating Control Weaknesses
Initial Scoping
Outsourced Processes
Global Support
Specialty Processes e.g. treasury/tax
19
95%
89%
65%
63%
59%
46%
35%
33%
PwC
Front Line Feedback – Snap Shot
3. Respondents reported that the areas where their companies
are most likely to need remedial work to fix problems prior to
certification are:
•
•
•
•
•
•
Manual controls
Computer controls (excluding security)
Security
Fraud
Financial reporting
Audit Committee
20
72%
65%
54%
44%
35%
13%
PwC
Front Line Feedback – Snap Shot
4. Respondents reported they intend to make improvements in
the following areas in future to streamline compliance.
•
•
•
•
•
•
•
Risk identification and assessment
Financial Reporting
Internal Audit
Compliance Management
IT Security Strategy and Implementation
IT Oversight and Operations
Risk Mitigation Processes
21
67%
50%
46%
46%
44%
41%
33%
PwC
The Challenges Ahead for
Oil and Gas Companies
22
PwC
Oil & Gas Exploration & Production
Some Internal Control challenges for E&P Companies?
• Production accounting (reconcile to measurement and delivery points;
production allocations)
• Revenue accounting (involving commodity trading, derivatives, inventory
hedging)
• Reserves estimates (conflicting US, Canada rules)
• Joint Interest accounting (reliance on Land, DOI)
• Accuracy of Division-of-Interest (DOI) across all IT systems (Production,
Reserves, Revenue, JI Acct, Land, Budgeting)
23
PwC
Oil & Gas Exploration & Production
Joint Venture Arrangements
• Assess significance of Non-operated Properties in terms of
quantitative and qualitative materiality factors, and in relation to
company’s significant accounts and disclosures.
• Challenge is to obtain appropriate comfort over Internal
Controls over Financial Reporting (ICFR) of Operators.
– JV Audit Process
– Controls over JV Billing Process
– Validation of revenues vs. expenditures
24
PwC
Oil & Gas Exploration & Production
Oil and Gas Companies Recently in the News:
• Royal Dutch Shell – Reserve estimates reduced by 20%.
Cascading reserve reductions by companies and trusts with
interests in Shell-operated properties.
• El Paso - Reserve estimates reduced by 35-40%. Disclosed
values of reserves exceeded Independent Reserve Estimates.
• BP – Reduced reserves estimates by 2-3%.
25
PwC
Conclusions
26
PwC
Conclusions
The world has changed for CEOs, CFOs, Directors, Audit Committees,
Auditors, and for Management and Employees, albeit in different ways.
The bar has been raised (or lowered), and …for some, the “bars” will close!
The short-term challenges for corporations are project related.
The longer term challenges are creating a sustainable compliance program
that fully integrates compliance steps into routine management practices.
Some companies are not going to make it. Some companies will have
significant deficiencies, some companies will receive negative opinions from
their auditors. The capital markets will determine the consequences.
27
PwC
Contact Details
Shelley Tremblay, Manager and Peter Laureshen, Manager
PricewaterhouseCoopers LLP
Suite 3100, 111 - 5th Avenue SW
Calgary, Alberta, Canada
T2P 5L3
Shelley: (403) 296-4007
Peter: (403) 509-7485
Email: [email protected]
Email: [email protected]
PASC www.petroleumaccountants.com
PJVA www.pjva.ca
28
PwC