pwc assessing and reporting on internal controls: the implications of sarbanes-oxley and bill 198...
TRANSCRIPT
Assessing and Reporting on Internal Controls: The Implications of Sarbanes-Oxley and Bill 198
Shelley Tremblay and Peter Laureshen
PricewaterhouseCoopers Presentation toPetroleum Joint Venture Association (PJVA)
March 16, 2004
2
Agenda
• The New Reporting Environment
• U.S. Sarbanes-Oxley Act and Canadian Bill 198 Rules
• Elements of an Internal Control Framework
• Front line Feedback – PwC Survey Results
• Challenges for Oil and Gas Companies
• Conclusions
3
The New Reporting Environment
4
What is driving the new reporting requirements?
The Recent Failures
•Dotcoms, Nortel, Cisco•Enron•Adelphia•WorldCom•Tyco•Parmalat•Hollinger•Mutual Fund Industry
The Responses
•U.S. Sarbanes-Oxley Act (2002) or “SOx”
•Canadian Bill 198 and Multilateral Instrument 52-109 (2003) or “CSOx”
5
What has Changed?Truth or Consequences!
Years in Jail:a) 1-2 years b) 3-5 yearsc) 10 -20 yearsd) 11-14 yearse) 20-25 years
The penalties for a CEO and/or CFO for providing a false certification of financial information under the Sarbanes-Oxley Act are now substantial !
Escaping from prisonKidnapping involving RansomIncorrect SOx CertificationSecond Degree MurderHijacking
6
U.S. Sarbanes-Oxley Act and Canadian Bill 198 Rules
7
U.S. Sarbanes-Oxley Act (“SOx”)
The U.S. Sarbanes-Oxley Act of 2002 contains 11 Titles and 66 Sections.
Title I – Public Company Accounting Oversight Board. PCAOB formed as branch of Securities and Exchange Commission (SEC). Public Auditing firms must register with PCAOB and are now brought under the regulation of the PCAOB.
Title III – Corporate Responsibility. Section 302 establishes certification requirements for CEOs and CFOs of Annual and Quarterly reports filed with the SEC.
Title IV – Enhanced Financial Disclosures. Section 404 (a) requires management to assess and report on internal controls, and Section 404 (b) requires the company’s External Auditor to attest to and report on management’s assertions on internal controls.
8
PCAOB Auditing Standard for Attestation of Internal Control Report
On March 9, 2004, the PCAOB adopted “Auditing Standard No.2, An Audit of Internal Control over Financial Reporting Performed in Conjunction with an Audit of Financial Statements”, the attestation standard referred to in Section 404(b).
Implementation has been delayed for “Issuers” and “Accelerated Filers” and is now effective for companies whose fiscal years end on or after November 15, 2004 (original date was September 15, 2003, then June 15, 2004).
For “Foreign Private Issuers” (including most Canadian companies), implementation is effective for companies with year-ends on or after July 15, 2005.
9
Canadian Bill 198
In June 2003, the Ontario Securities Commission (“OSC”) and the CanadianSecurity Administrators (“CSA”) published for comment three new corporategovernance rules, collectively referred to as Bill 198:• Multilateral Instrument 52-108 Auditor Oversight• Multilateral Instrument 52-109 Certification of Disclosure in
Companies' Annual and Interim Filings (“CSOx”)• Multilateral Instrument 52-110 Audit Committees
Multilateral Instrument 52-109 (CSOx) is basically adopting SOx Section302 with an emphasis on Disclosure Controls and Procedures (DC&P).
The issue of whether to implement a SOx Section 404 equivalent certificationwith an emphasis on Internal Controls over Financial Reporting (ICFR)and External Auditor attestation has been tabled pending further study.
10
CSOx Rules - CEO/CFO Certification
Interim Filings – CEO and CFO to certify that they:• Are responsible for Internal Controls over Financial Reporting (ICFR), and
Disclosure Controls and Procedures (DC&P).• Have designed Internal Controls over Financial Reporting (ICFR) to
provide reasonable assurance that financial statements are fairly presented in accordance with GAAP.
• Have designed Disclosure Controls and Procedures (DC&P) to provide reasonable assurance that material information is made known to them by others within the issuer and its consolidated subsidiaries.
• Have indicated in the MD&A any changes to Internal Controls over Financial Reporting (ICFR) that has materially affected, or is reasonably likely to materially affect, the issuer’s Internal Control over Financial Reporting.
11
CSOx Rules - CEO/CFO Certification
Annual Filings – In addition to certification in interim filings, CEOand CFO to certify that:
• They have evaluated the effectiveness of Disclosure Controls and Procedures (DC&P).
• They have presented their conclusions on those controls in the annual MD&A.
Filings to be Certified • Annual Information Form (AIF), annual financial statements, annual
MD&A, interim financial statements and interim MD&A
12
CSOx Rules - Implementation Timeframe
Phased-in approach to meeting requirements:
Instrument comes into force on March 30, 2004. Annual certificates applyfor financial years beginning on or after January 1, 2004.
However, Transitional “Bare Certificate” can be filed for financial years ending onor before March 30, 2005. The “Bare Certificate” requires that the CEO and CFOcertify that:• They have reviewed the filings.• The filings do not include any untrue statement of a material fact or omit to state
a material fact.• The financial statements along with other financial information, fairly present
financial conditions, results of operations and cash flows.
13
Summary - Addressing the Requirements of SOx and CSOx
Disclosure Requirements
Internal Controls Over Financial Reporting
(Including footnotes)
Disclosure Controls and Procedures
Internal Controls over Disclosure Requirements
LEGEND
Disclosure Controls and Procedures
Controls and other procedures designed to ensure information required to be disclosed by issuer is recorded, processed, summarized and reported in a timely manner.
ComplianceOperations Financial Reporting
Internal Accounting
Controls
14
Elements of an Internal Control Framework
15
Definitions
Disclosure Controls and Procedures (DC&P)
• Provide reasonable assurance that:
• information required to be disclosed is recorded, processed, summarized and reported within the time periods required.
• such information is accumulated and communicated to the issuer’s management, including the CEO and CFO, in order to allow timely decisions regarding required disclosure.
• Apply to material financial and non-financial information to be included in public reports so that investors are fully informed.
• Broader than Internal Controls over Financial Reporting (ICFR), and inclusive of ICFR to the extent it impacts disclosures.
16
Definitions (cont.)
Internal Control over Financial Reporting (ICFR)• Provide reasonable assurance on the reliability of financial reporting and
the preparation of financial statements for external purposes in accordance with GAAP and addresses:• maintenance of records that accurately and fairly reflect the
transactions and dispositions of the assets of the issuer• reasonable assurance that transactions are recorded to permit the
preparation of financial statements in accordance with GAAP, and that receipts and expenditures are made in accordance with authorizations of management and directors; and
• reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use or disposition of assets that could have a material impact on the financial statements.
17
The Five Components under the COSO Framework
Control Activities • Policies and procedures that
ensure management directives are carried out.
• Range of activities including approvals, authorizations, verifications, recommendations, performance reviews, asset security and segregation of duties.
Monitoring Assessment of a control system’s
performance over time. Combination of ongoing and
separate evaluation. Management and supervisory
activities. Internal audit activities.
Control Environment
• Sets tone of organization-influencing control consciousness of its people.
• Factors include integrity, ethical values, competence, authority, responsibility.
• Foundation for all other components of control.
Information and Communication• Pertinent information identified,
captured and communicated in a timely manner.
• Access to internal and externally generated information.
• Flow of information that allows for successful control actions from instructions on responsibilities to summary of findings for management action.
Risk Assessment • Risk assessment is the
identification and analysis of relevant risks to achieving the entity’s objectives, forming the basis for determining control activities.All five components must be in place
for a control to be effective.
18
Front Line Feedback – PwC Survey Results
Results from January 22-23, 2004 PwC Survey of 120 SOx 404 Project Leaders from major corporations attending a Sarbanes-Oxley Conference held in New Jersey
19
Front Line Feedback – Snap Shot
1. Nearly 75% of respondents have seen a significant increase in the level of effort required to comply with SOx 404 as compared to original estimates. About 1/3 of these saw increases of more than 75%.
2. Respondents reported difficulties in the following areas:
• Level of Testing required 95%• Documentation 89%• Multiple Locations 65%• Evaluating Control Weaknesses 63%• Initial Scoping 59%• Outsourced Processes 46%• Global Support 35%• Specialty Processes e.g. treasury/tax 33%
20
Front Line Feedback – Snap Shot
3. Respondents reported that the areas where their companies are most likely to need remedial work to fix problems prior to certification are:
• Manual controls 72%• Computer controls (excluding security) 65%• Security 54%• Fraud 44%• Financial reporting 35%• Audit Committee 13%
21
Front Line Feedback – Snap Shot
4. Respondents reported they intend to make improvements in the following areas in future to streamline compliance.
• Risk identification and assessment 67%• Financial Reporting 50%• Internal Audit 46%• Compliance Management 46%• IT Security Strategy and Implementation 44%• IT Oversight and Operations 41%• Risk Mitigation Processes 33%
22
The Challenges Ahead for Oil and Gas Companies
23
Oil & Gas Exploration & Production
Some Internal Control challenges for E&P Companies?
• Production accounting (reconcile to measurement and delivery points; production allocations)
• Revenue accounting (involving commodity trading, derivatives, inventory hedging)
• Reserves estimates (conflicting US, Canada rules)
• Joint Interest accounting (reliance on Land, DOI)
• Accuracy of Division-of-Interest (DOI) across all IT systems (Production, Reserves, Revenue, JI Acct, Land, Budgeting)
24
Oil & Gas Exploration & Production
Joint Venture Arrangements
• Assess significance of Non-operated Properties in terms of quantitative and qualitative materiality factors, and in relation to company’s significant accounts and disclosures.
• Challenge is to obtain appropriate comfort over Internal Controls over Financial Reporting (ICFR) of Operators.– JV Audit Process– Controls over JV Billing Process– Validation of revenues vs. expenditures
25
Oil & Gas Exploration & Production
Oil and Gas Companies Recently in the News:
• Royal Dutch Shell – Reserve estimates reduced by 20%. Cascading reserve reductions by companies and trusts with interests in Shell-operated properties.
• El Paso - Reserve estimates reduced by 35-40%. Disclosed values of reserves exceeded Independent Reserve Estimates.
• BP – Reduced reserves estimates by 2-3%.
26
Conclusions
27
Conclusions
The world has changed for CEOs, CFOs, Directors, Audit Committees, Auditors, and for Management and Employees, albeit in different ways.
The bar has been raised (or lowered), and …for some, the “bars” will close!
The short-term challenges for corporations are project related.
The longer term challenges are creating a sustainable compliance program that fully integrates compliance steps into routine management practices.
Some companies are not going to make it. Some companies will have significant deficiencies, some companies will receive negative opinions from their auditors. The capital markets will determine the consequences.
28
Contact Details
Shelley Tremblay, Manager and Peter Laureshen, Manager PricewaterhouseCoopers LLP
Suite 3100, 111 - 5th Avenue SWCalgary, Alberta, Canada
T2P 5L3Shelley: (403) 296-4007Peter: (403) 509-7485
Email: [email protected]: [email protected]
PASC www.petroleumaccountants.comPJVA www.pjva.ca