Let’s pretend for a second that Sarbanes-Oxley Act of 2002 (SOX) does not exist; auditing requirements for controls are absent and legislation surrounding disclosures is significantly reduced. Would companies voluntarily report controls information? If so, how detailed would that information be? Canadian filings may provide us with some insight into this scenario.
In August 2008, the Canadian Securities Administration issued National Instrument 52-109 (NI 52-09) which requires certifying officers of Canadian public companies to establish and maintain a system of effective Disclosure Controls (DC&P) and Internal Controls (ICFR) over Financial Reporting.1 Unlike SOX 404 and SOX 302 requirements applicable to U.S. companies, NI 52-109 does not require companies to explicitly state whether their controls are effective. Instead, a company is only required to disclose a material weakness if any are found.
One issue that comes to mind when using self-reported, unaudited disclosures is that of the reliability and accuracy of the disclosure. A recent study conducted by Dr. Robert Pozen, a senior lecturer at Massachusetts Institute of Technology’s Sloan School of Management and Audit Analytics indicates that, for the Canadian companies that file with SEDAR, a number of material weaknesses might be under-reported.
The study, which evaluated controls disclosed by companies that had to restate their financial statements between years 2009 and 2016, found that only 18 of the 78 companies (or less than 25%) reported ineffective internal controls. Moreover, for quantitatively material restatements (those with at least 5% impact on net income) the results were quite similar – only 14 out of 43 companies reported material weaknesses. We would expect this ratio to be significantly higher, especially for material restatements because material errors provide a strong indication that controls were not effective. After all, errors were not identified or captured in a timely manner.
Audit Analytics then conducted further analysis of controls disclosures provided by 1,236 Canadian companies in the first six months of 2017. One of the challenges that we faced while conducting the analysis was figuring out which companies disclosed ineffective controls. One would think that this should be straightforward – the controls could be effective or not effective, right? Well, it is often not that simple.
There were 232 Canadian companies with ineffective controls. Of those, only 68 companies explicitly stated that their Internal Controls were not effective.
Of the remaining 164 companies, 18 companies disclosed a material weakness without providing an explicit conclusion, or stated that ICFR were effective despite the material weakness. 81 companies noted lack of certain controls (the most common one being lack of proper segregation of duties), while failing to identify material weakness or to explicitly state that controls are not effective. 56 companies disclosed weaknesses in internal controls, while stating that their disclosure controls are effective. While it is possible that companies may reach different conclusions about internal and disclosure controls, the two are strongly correlated.
This phenomenon is unique to Canadian companies – in the U.S., DC&P and ICFR are strongly correlated.
In the U.S., controls-related disclosure is mandatory, but in Canada the requirement is mandatory only for a subset of companies. So why would a company provide a more detailed disclosure than necessary, or even file a disclosure at all if they are not required to?
Part of the disclosure is based on the NI 52-109 requirement to disclose any changes in ICFR, including scope limitations related to recently acquired entities. Dual-listed companies that comply with SOX 404 and SOX 302 are exempted from NI 52-109 but often choose to include these reports in their SEDAR filings. Finally, some companies simply voluntarily file more detailed disclosures, including providing an assessment of effectiveness.
As we demonstrated above, there are significant inconsistencies and lack of clarity in how Canadian companies disclose internal and disclosure controls. One possible solution to increase transparency would be to require external auditors to review management’s assertion. But, according to the quote of the former chair of the Ontario Securities Commission Ed Waitzer, this issue is unlikely to be a priority for Canadian legislators.
Audit Analytics tracks audit fees, auditor changes, controls, and restatements for Canadian issuers. Please contact Audit Analytics for an online demonstration or to learn more about these data sets. You can call us at (508) 476-7007 or e-mail info@auditanalytics.com.
1. National Instrument 52-109 (NI 52-09), Certification of Disclosures in Issuers’ Interim and Annual Filings, requires certifying officers of Canadian public companies to establish and maintain a system of effective Disclosure Controls (DC&P) and Internal Controls (ICFR) over Financial Reporting. It is worth noting that NI 52-109 prescribes only management certifications; there is no auditing requirement..”↩