Bill 198 – Sarbanes-Oxley Comes to
Source – Barry Shaw, Principal, BRS
Management Consulting, 2005
The Countdown Has Begun
The Sarbanes-Oxley Act, which was recently implemented in the
Compliance to such regulations is not new to some large
Canadian organizations. Canadian
companies who are SEC registrants, meaning they are listed on US stock
exchanges, have been subjected to the same rules that apply to US domestic
companies. For most companies involved
in Sarbanes-Oxley compliance (particularly with Section 404 and 302), the
exercise has been difficult and expensive. CEO’s of Canadian firms listed on the
The Toronto Stock Exchange, the British Columbia Securities
Commission, and Canadian business executives have protested the implementation
of such draconian measures, arguing that the Enron, Worldcom,
and Adelphia corporate scandals have not happened in
In any event, there is a definite move towards tighter
regulations internationally.
Sarbanes-Oxley
Regulations – A Refresher
For the unfamiliar, the Sarbanes-Oxley Act is an eleven-part document covering all the requirements for registrants of the US Securities and Exchange Commission. Most noteworthy are Sections 302 and 404, which impose new rules and responsibilities intended to ensure that financial reports are materially accurate present a fair and true picture of a company’s condition.
Section 302 requires CEO’s and CFO’s to sign off on the accuracy of their financial statements, obligating them to accept personal liability for those statements; a new and frightening responsibility.
Section 404 requires a company to submit quarterly and annual ‘internal control reports’ which attest to a company’s use of a proven control framework for accurate and timely financial reporting and disclosures. This innocuous little title of the SOX Act was the one that really sent corporations into a panic. If no such control structure existed, and for most organizations it didn’t, it had to be planned, implemented and tested to an external auditor’s satisfaction before the SEC filing deadline. The only guidance the SEC gave on what control framework might be acceptable was the mention of the COSO model (Committee of Sponsoring Organizations of the Treadway Commission), a multi-dimensional structure similar in nature to the COBIT (Control Objectives for IT) model for IT governance.
New Corporate
Responsibilities – IT and the CEO/CFO
Aside from the costly diversion of funds and resources to the compliance effort, the SOX Act imposed new demands on two corporate roles in particular – the CEO/CFO executive and the IT Manager.
With his John Henry on the financial report, the CEO/CFO must be supremely confident that things are exactly as written. The days of trusting the reporting chain are gone. The CEO/CFO must now be ‘control infrastructure’ savvy, with a comprehensive knowledge of the extent and reliability of the organization’s checks and balances, audits, and risk mitigation mechanisms.
Life will never be the same for IT Managers, either. Current and legacy systems that have remained largely undocumented, regardless of whether they performed reliably in the past, must now be fully documented and catalogued to an extent never before required.
Sarbanes-Oxley vs Bill 198 – Key Differences
Bill 198 deals with virtually all of the same issues as Sarbanes-Oxley, including auditor independence, audit committee responsibilities, CEO and CFO accountability for financial reporting and internal controls, faster public disclosure, and stiffer penalties for illegal activities.
The most significant difference between the US SEC and Canadian OSC regulations is the deadline for full compliance. For ‘accelerated’ SEC registrants (those with a market capitalization of more than $75 million), the filing deadline was mid-November, 2004. For Canadian companies, the deadline for full compliance is near the end of 2006, almost two years away. That should be plenty of time to get internal controls in order. Note however that starting this year (under the MI 52-109 part of Bill 198), Canadian company CEO’s and CFO’s must certify that their annual and interim financial statements are ‘fairly presented’ and that they have effective internal controls in place.
The other key difference pertains to the quarterly and annual control attestation reports. The way Bill 198 is now proposed, Canadian companies do not have to submit an external auditor attestation of the adequacy of internal controls. That may change soon under proposed changes in Multilateral Instrument 58-101 and 58-201.
It should be added that like the Sarbanes-Oxley Act, Bill 198 has beefed up penalties for Ontario Securities Act offenses from $1 million and 1 year in prison to $5 million and 5 years in prison.
New Corporate Mindset for
Recent surveys of Canadian companies have
revealed that more than half of respondents feel
Luckily, more than half of surveyed Canadian company executives feel the new regulations will have a positive impact on senior management’s ability to run the company. It appears that Canadian senior executives will play a crucial role in setting the ‘tone from the top’ and providing the driving force for a new corporate mindset.
For more information on BRS Management Consulting, visit www.brs-management.com.