A recent decision by Ontario securities regulators to scrap a proposed financial reporting rule won’t spare IT managers from their compliance chores, according to those with expertise in Bill 198 and the U.S. Sarbanes-Oxley law.
Last month the Canadian Securities Administrators (CSA) withdrew Multilateral Instrument 52-111, also known as “Reporting on internal controls in financial reporting.” Under that rule, which was considered the Ontario equivalent of Section 404 in Sarbanes-Oxley, reporting issuers on the Toronto Stock Exchange have had to issue a report from their management on the effectiveness of internal control over financial reporting, including the IT systems used to manage such information, as well submit to an audit by a third party. The CSA released 52-111 in February 2005 for comment but dropped it in March.
Instead, the CSA has proposed Multilateral Instrument 52-109, “Certification of disclosure in issuers’ annual and interim filings,” which would still require management to do an internal assessment, but not third-party auditors.
“At first I did a little happy dance,” said Anna Wilson, manager of IT compliance and control at Sobey’s, who spoke about 52-111 at last week’s LinuxWorld/NetworkWorld conference in Toronto. “It didn’t last long, because if you use external auditors for other compliance projects they have to access computer controls anyway. They just won’t have to include them in their final report.”
While small and medium-sized businesses may shy away from using external auditors, Sobeys and other firms need their assessments to meet a variety of regulatory requirements, including SoX, if they are to operate on both sides of the border. Like many other large enterprises, Sobeys often works with firms such as PricewaterhouseCoopers to prove its processes are secure and above-board.
“At the end of the day there’s not much that’s changed, other than they’re not going to have a set of eyes looking to certify their controls,” said Tony Pedari, a partner in PwC’s Toronto office who deals regularly with Bill 198 and other regulatory issues. “Management still needs to get comfortable that their controls are still operating effectively.”
Although Ontario has moved far more slowly than the United States, which passed SoX in less than a year, Pedari said boards of directors at firms here are getting more involved in evaluating the various liabilities companies could face if they don’t meet requirements. Because IT is so pervasive in these firms, he added, they have a big impact on how financial processes occur, which means CIOs and IT departments play a big role in compliance.
Wilson said Sobey’s IT controls over financial information include general controls such as operating systems, databases and bandwidth, as well as the accuracy of information in an enterprise resource planning system, finance or accounting software package. The problem, she said, is that there aren’t a lot of specific guidelines for IT professionals.
“I’ve gone to battle with external auditors on more than one occasion,” she said. “They come in with their little checklists, often employing junior people with little to no understanding of your system or your unique situation. All they have is their checklist.”
Pedari said enterprises have to beware of “framework fatigue” and look at industry process guidelines such as CoBIT or ITIL to avoid major problems.
“The good organizations will step back and say, ‘I implemented ITIL for a reason,’” he said. “The key lessons from SoX are ensuring it’s risk-based, that there’s proper scoping – either falling short or doing too much doesn’t work – and ensuring all the key stakeholders are engaged. IT is not a separate process. It’s integrated with the business process . . . How to react to that will vary dramatically.”
The CSA has set a deadline for Multilateral Instrument 52-109 compliance of October 2007.