High-profile financial mismanagement scandals have occurred in both the private and public sectors the past few years. For publicly listed companies in Canada and the United States, requirements have been instituted for the chief executive officer and the chief financial officer to personally certify that they have reviewed and tested their internal controls over financial reporting and assert that the internal controls are operating effectively.
In the public sector, many similar examples of internal control certification requirements are beginning to surface. The US government, for example, has introduced regulations for their largest agencies that require annual certification of internal controls over financial reporting. In Canada, the federal government is expected to issue shortly a new Policy on Internal Control, as part of its new Financial Management Policy Framework. It is anticipated that the deputy head and CFO of each department will be required to sign an annual Statement of Internal Control acknowledging their responsibilities and confirming that the effectiveness of the system of internal control has been reviewed, including controls over financial reporting. In addition, several of the larger Crown corporations, federal and provincial, are either contemplating or have already embarked on internal control certification projects. One of the reasons given by Crowns to pursue certification, absent any formal requirements, is that it is seen by many to be an emerging best practice for management that also provides board members with greater comfort in discharging their oversight responsibilities.
Historically, public sector management’s responsibility for internal control has always been explicit. In Ontario, for example, the deputy minister of finance and the provincial controller sign an annual Statement of Responsibility attached to the consolidated financial statements of the province, stating “the government is responsible for maintaining systems of financial management and internal control to provide reasonable assurance that transactions recorded in the Consolidated Financial Statements are within statutory authority, assets are properly safeguarded and reliable financial information is available for preparation of these Consolidated Financial Statements.” Federally, many CFOs have signed similar statements acknowledging their responsibilities for internal control, attached to their unaudited financial statements.
Experience has shown that most organizations, private or public, are very “control aware.” Internal control certification should be viewed as a mechanism to provide more structure, rigour and evidence of management’s framework of internal controls. While initial efforts at internal control certification in the private sector resulted in complaints that the process was too expensive, many lessons have been learned since that time. The public sector has an opportunity to benefit from and apply these lessons to implement a more efficient, risk-based and strategic-control certification program.
The focus of most internal control certification projects is financial reporting. The typical scope includes business process controls, IT controls, and entity-level controls. The starting point is the entity’s financial statements, which are “decomposed” to break down the main business processes. Key IT application systems (such as SAP, Oracle, custom developed systems, etc.) and supporting technology infrastructure are then identified in relation to each of the material business processes. Finally, key entity-level controls (which represent the “tone at the top” for an organization) are identified. For each of these areas, controls are documented and tested to confirm appropriate design and operating effectiveness.
Recognizing that most government organizations are resource constrained, once scoping and planning has been completed, it is important to set priorities for the documentation and testing efforts. The most prudent approach is to take a risk-based approach whereby a risk-lens is applied to the areas in scope using both quantitative and qualitative factors to determine how to assign scarce resources to the riskiest areas. It is also advisable to address entity level controls early in the project’s timeline to help simplify the requirements for control documentation and testing at the process level.
In addition, absent specific rules for certification in the public sector, many have found it practical to select a pilot process to initiate documentation and testing efforts and to allow refinement of the project’s approach and outputs. Public sector organizations should also consider a multi-year timeframe to cover ongoing documentation and testing efforts for all processes, reflecting the reality of limited resources.
Many organizations have also found opportunities to leverage the work of their internal audit departments and risk management activities. There are also opportunities to ensure that the governance structures established, the frameworks used and, where appropriate, the supporting technologies put in place for internal control certification, risk management and related initiatives are coordinated and aligned. Taking a coordinated approach will enable management to gather the evidence required to support their certification on internal controls in the most efficient and cost effective manner.
Public sector internal control certification is now an emerging best practice. There is value in the process. There is also benefit in understanding the ways to optimize the required investment to reflect the unique risk-profile of each organization. When done properly, certification doesn’t become yet another distinct process; rather, it provides an opportunity to optimize and align existing processes. Is your organization In Control?
Nancy Rector is the partner responsible for the Enterprise Risk Services (ERS) Group for Deloitte & Touche LLP in Ottawa.