A recent decision by Ontario securities regulators to scrap a proposed financial reporting rule won’t spare IT managers from their compliance chores, according to those with expertise in Bill 198 and the U.S. Sarbanes-Oxley law.
Last month the Canadian Securities Administrators (CSA) withdrew Multilateral Instrument 52-111, also known as “Reporting on internal controls in financial reporting.” Under that rule, which was considered the Ontario equivalent of Section 404 in Sarbanes-Oxley, reporting issuers on the Toronto Stock Exchange would have had to issue a report from their management on the effectiveness of internal control over financial reporting, including the IT systems used to manage such information, as well as submit to an audit by a third party. The CSA released 52-111 in February 2005 for comment but dropped it in March.
Instead, the CSA has proposed Multilateral Instrument 52-109, “Certification of disclosure in issuers’ annual and interim filings,” which would still require management to do an internal assessment, but not third-party auditors.
“At first I did a little happy dance,” said Anna Wilson, manager of IT compliance and control at grocery retailer Sobeys Inc., who spoke about 52-111 at the recent LinuxWorld/NetworkWorld conference in Toronto. “It didn’t last long, because if you use external auditors for other compliance projects they have to access computer controls anyway. They just won’t have to include them in their final report.”
While small- and mid-sized businesses may shy away from using external auditors, Sobeys and other firms need their assessments to meet a variety of regulatory requirements, if they are to operate on both sides of the border. Like many other large enterprises, Sobeys often works with firms such as PricewaterhouseCoopers to prove its processes are secure and above-board.
“At the end of the day there’s not much that’s changed, other than they’re not going to have a set of eyes looking to certify their controls,” said Tony Pedari, a partner in PwC’s Toronto office who deals regularly with Bill 198 and other regulatory issues.
Pedari said Canadian corporate directors are getting more involved in evaluating the various liabilities companies could face if they don’t meet requirements. Because IT is so pervasive in these firms, he added, they have a big impact on how financial processes occur, which means CIOs and IT departments play a big role in compliance.
Wilson said Sobeys’s IT controls over financial information include general controls – such as operating systems, databases and bandwidth – as well as the accuracy of data in enterprise resource planning and financial accounting software. The problem, she said, is that there aren’t a lot of guidelines for IT professionals.
“I’ve gone to battle with external auditors on more than one occasion,” she said. “They come in with their little checklists, often employing junior people with little to no understanding of your system. All they have is their checklist.”
Pedari said enterprises have to beware of “framework fatigue” and look at industry process guidelines such as CoBIT or ITIL to avoid major problems.
“IT is not a separate process. It’s integrated with the business process . . . How to react to that will vary dramatically,” Pedari said.
Companies must comply with 52-109 by October, 2007.