As a result of the COVID-19 pandemic, publicly listed organizations that are required to comply with National Instrument 52-109 (NI-52-109 or CSOX) will need to adapt to the new normal and assess what impact on internal controls over financial reporting (ICFR) there is, if any. In Canada, the securities commissions have provided a 45-day blanket relief to filing requirements in cases where the original due date falls between March 23, 2020 and June 1, 2020.
While the majority of the workforce is working remotely, and focused on meeting day-to-day obligations and activities, ICFR may not be top of mind, resulting in a lapse of controls, requiring organizations to disclose the deficiencies in their Management Discussion & Analysis (MD&A). Below are some of the considerations that each publicly listed issuer’s CEO and CFO should take into account as they gear up for certification post-pandemic:
- Increased Control Failure Risk – Controls over financial reporting may not be performed consistently, as there may be fewer people in the organization (due to reduced hours, working from home arrangements or layoffs), which may result in lapse of control performance and may result in an increased number of control failures, requiring management to disclose the weaknesses in the MD&A, along with the potential impact on the financials.
- Increased Use of Sub-certification – Traditionally, larger organizations require a sub-certification process from senior officers to assist the CEO / CFO in identifying areas of potential impact that may result in a financial misstatement. This is done to spread the risk between Senior Management, and to provide a channel / opportunity to communicate any matters that may be significant for the CEO / CFO Certification. As most, if not all, senior officers are working remotely, the use of sub-certification may need to increase.
- Automation and Redesign of Processes and Controls – An increased number of automated controls will require more reliance on IT General Controls, as most organizations transition (or were in the process of transitioning prior to the pandemic) to more complex enterprise resource planning systems. In addition, as organizations outsource certain functions, the use of System and Organization Controls (“SOC”) reports will increase and organizations will need to map the controls at the service organization to complementary controls within the organization.
- Comprehensive Fraud Risk Assessment Process – Business disruption due to COVID-19 may create new risks of bribery and corruption and uncover existing instances of fraud, embezzlement and self dealing. In the event of a material fraud, financial restatements may be required and organizations may have to disclose a material weakness in their MD&A. Effective anti-fraud programs provide an organization with tools to manage risk in a manner consistent with its stewardship requirements as well as its business needs. Such an approach has four phases: 1) Establish and communicate a Fraud Risk Management Program; 2) Conduct a comprehensive fraud risk assessment that identifies specific fraud schemes and risks; 3) Select, develop, and deploy preventive and detective fraud control activities to mitigate the risk of fraud events; and 4) Deploy a coordinated approach to investigation and corrective action to address fraud appropriately.
- Comprehensive Risk Assessment Process – Post-pandemic, organizations will seriously consider risks that were once considered black swans (i.e. low likelihood of occurrence, high impact), and these risks will appear more frequently on organizational risk assessments, with response plans developed as part of the operations process, as well as reporting obligations. The Board and Management will be held accountable to a higher standard in ensuring the well-being of employees and other stakeholders, and this may need to be disclosed in the MD&A and Financial Statements along with the usual business and fraud risks.
To learn more about internal controls during the pandemic, contact your local advisor.
Why MNP is the Right Choice For Your ICFR Program
Pragmatic, Risk-Based Approach
Our methodology focuses on identifying, evaluating, prioritizing and managing the risks that could reasonably result in a material omission or misstatement and developing pragmatic solutions to address design gaps in governance, processes and controls.
Passionate, Engaged and Qualified TeamOur team members are passionate about processes and controls and take great pride in what they do. They are engaged and personally seek to assist you to achieve continuous improvements. Also, our team members are designated chartered professional accountants (or in the program).
Active Involvement by Partners and Senior Managers
The foundation of our service delivery is the active and direct participation by the most experienced members of our engagement team. We are committed to providing more senior personnel to any engagement than our competitors and driving a partner-led approach.
Boutique Service Model Supported by a National Firm
We have a dedicated, locally-based NI-52-109 practice that will work collaboratively with you to refine and execute a “fit for purpose” CSOX program. As we are a national firm that has been operating for over 70 years, the certifying officers of your organization will have the full support of our firm based on the work we perform on your behalf.
Value Beyond Compliance
We provide value beyond compliance by leveraging our extensive experience with comparable organizations to identify opportunities to achieve business process and control improvements in accordance with your risk and control culture, rather than just completing a compliance exercise.