|
America Calls it
Attestation and Canada says Personal Signing
Restoring investor confidence in
publicly traded companies is the intended result of Sarbanes-Oxley
Act of 2002. It applies to companies that have an equity market
capitalization of at least $75 million and are subject to the laws
of the United States. On March 30, 2004, the Canadian Securities Administrators (CSA) put new
regulations into effect that apply to all Canadian publicly listed
companies, [see
link] require Chief Executive and Chief Financial Officers
to certify the accuracy of the data filed in their periodic
statements and financial reports. Furthermore, the CSA, which is a
council of 13 provincial and territorial regulators, is also
developing separate rules on compliance similar to Sarbanes Oxley
section 404.
Transferring
Liability
These new North American
regulations are as significant to business as, in a religious
context, the publication of the King James Bible was 383 years
ago. Until the passing of Acts by the SEC and CSA corporations were the liable entities not individuals. Now actual
people are personally responsible, as Canadian regulations decree,
"personally sign" commitments and reports -- the United
States calls it "attest". Since these chiefs now
have to put their jobs on the line, one observes corporate web
postings that include a code of ethics and in Canada, Whistle
Blowing activity has begun. One
criterion for incoming board members is that they be financially
literate. One might think, with good reason, that being
technology-literate would also be a requisite too.
While adherence to American,
Canadian, and European chief officers' sign-off requirements does
not regulate Information Technology (IT), IT is the basis for the
financial processes that the law regulates. And though Chief Officers,
Information, Operations, and Technology to name a few are not directly accountable as
signatories for the accuracy of the information contained in
filings, as executive officers they have direct fiduciary
responsibility to act in the best interest of the enterprise and its
stakeholders. As such, they must devote attention to implementing
necessary policies, practices, and systems to ensure appropriate
levels of compliance, transparency, and audit ability. After
all, Section 404 requires an attestation to the scope and adequacy of the internal control structure and procedures for
financial reporting.
And assessment of the effectiveness of the
internal controls and procedures.
And
though Chief Officers, Information, Operations, and Technology are
accustomed to tweaking their Virtual Private Network, mapping
corporate security, or monitoring day- to- day scheduling in the
palm of their hand on say a Palm Pilot or a BlackBerry
bringing the corporation
in line with Section 404 is a monumental task hand.
Playing
with Fire
Section 404 is a scope and
adequacy of the internal control structure and procedures for
financial reporting assess the effectiveness of such internal
controls and procedures. Specifically: 1. Control Environment: gauge integrity
concerning segregation of duties. 2. Risk Assessment: benchmark
risks. 3. Control Activities: identification of procedures,
documentation and gaps. 4. Monitoring:
reckon the efforts & instigate deficiency correction.
5. Information and Communication: investigate how information is
captured, processed and reported down, across and up the
organization.
For more details see
"Sarbanes
Oxley Primer".
Some
companies are looking to get a better return on their investment in
Sarbanes-Oxley compliance by making it part of a larger exercise
that looks at firm-wide processes and controls, and not just those
surrounding financial reporting, or perhaps corporation want to
develop and strengthen internal
audit. After all, proposals now on the table would require all
companies listed on the New York Stock Exchange to have an internal
audit function.
In
the end the Chief Executive and Financial Officers will have
complete visibility of the objectives, assessments, and corrective
activities identified at each level of the organization, confidently
signing off knowing that all levels have conducted the appropriate
review, assessment, and monitoring of Internal Controls.
|
