‘Canadian Twist’ on SOX

Canadian insurance companies, unlike their U.S. counterparts, will not be required to have external auditors attest to their declaration of good corporate governance, under Canada’s proposed legislative equivalent to the U.S. Sarbanes-Oxley Act.

However, small and mid-sized Canadian companies will be required to report “material weaknesses” in their government structures in a more public way than ever before, Issues Central Inc. president Catherine Connally told people attending a March 2006 Insurance Institute of Ontario seminar in Toronto.

The seminar discussed the impact of ‘C-SOX,’ Canada’s version of the U.S. Sarbanes-Oxley Act. The U.S. version of the corporate governance legislation is commonly referred to as ‘SOX.’

ELEVATING AUDITORS

The mandate of Issues Central is to help Canadian and American organizations, including insurance companies, “dramatically reduce the cost of providing solid governance frameworks” in compliance with financial and other regulations, the company Web site notes. Its approach is geared towards mid-size and emerging publicly-traded companies that have limited resources to use for compliance requirements as compared to their larger counterparts. The company estimates there are now about 250 Canadian-based filers of SOX.

Connally said many U.S. insurance companies own very complex financial portfolios; as a result, they are finding it onerous to comply with SOX’s provisions. SOX was enacted in the U.S. after several companies folded in the wake of financial fraud, exposing concerns about the quality of companies’ financial reporting and external audit controls.

Sections 301 and 404 of Sarbanes-Oxley require companies to have independent, internal audit committees and to have external auditors sign off on the work of the internal audit committees.

“[One] aspect [of SOX] is audit committee elevation and responsibility,” Connally said. “Many companies prior to the act didn’t even have audit committee, or they were just a rubber stamp and really didn’t have a lot of authority…

“The audit committee now owns the internal control procedures or documentation of the company. That’s a big responsibility….They deal with the outside auditors, they have to have certain financial experts and they must be independent.”

The fact that the company’s internal auditors have to be independent has proven to be a headache for many U.S. companies, Connally observed. Because a company’s audit committee must be independent, for example, accountants can no longer seek advice from outside auditors responsible for attestation. If they do, the attesting auditors would have to write up the company for a “material weakness” (i.e. a company’s accountants should know the answers to these financial questions). Companies have therefore resorted to hiring external auditors strictly for the purpose of consultation. Partly as a result of having to hire so many auditors to maintain independence, Connally says SOX has driven up costs for many U.S. companies.

Connally noted there is currently a U.S. legal debate about a Feb. 2006 Securities Exchange Commission proposal to waive the requirement for an external auditor’s attestation if a company’s revenue is less than US$787 million. She said this debate has influenced the crafting of C-SOX, which is expected to take the form of legislation in Sept. 2006.

A CANADIAN TWIST

When drafting C-SOX, Canadian financial regulators recognized Canadian companies are generally smaller than U.S. firms, Connally said. C-SOX therefore eliminates the external auditor attestation requirement for Canadian public companies, Connally noted. At the same time, Connally noted, C-SOX contains a “uniquely Canadian twist” that addresses the need for thorough and transparent financial reporting.

C-SOX requires Canadian public companies to describe the process they used to test their internal financial controls in Management Discussion and Analysis (MD&A) reports, which are to be made public. As the legislation currently stands, this must be done by no later than the end of fiscal year 2007.

“I think that’s really great,” Connally said. “A lot of companies are already doing that, because they believe in transparency.

“But what this does is force the companies to put their process [in the MD&A] – how they did this whole thing – and put it in front of everybody…

“They’re really trying to shine a bright light on that, saying: ‘Now that that we don’t have auditor attestation, we still want you to take it seriously.'”

Typically, Connally observed, insurance companies haven’t been eager to disclose their MD&A statements.

“You don’t want your competitors to know your ‘secret sauce’ and have that pushed out in the public,” she said. But she welcomed the new transparency that comes with C-SOX.

C-SOX TRANSPARENCY

As a result of this transparency, internal audit committees must report whether the design of their companies’ internal controls contain any “material weaknesses.” This has enormous implications for deciding whether to report fraud, Connally noted.

“Besides material weaknesses, if you find fraud – even if it’s not necessarily hugely material – there’s a judgment call there as to whether you’ve got to report it,” she said. “If somebody stole $100 from the petty cash fund and potentially it’s due to weaknesses in the controls, then you’ve got to make a decision on that about whether to report.”

In such a situation, the internal audit committee would have to consider the “materiality” of the fraud, at what point in time the fraud happened and how often it happened.

“Because if you’re going to disclose fraud in your financial statements or in your annual report, it’s going to have an impact, so you want to make sure it’s something really bad,” Connally said.

It’s a tough judgment call, she added, saying she has seen company representatives come close to blows during debates about whether fraud should be reported as a “material weakness” in the company’s financial controls.

Connally noted the C-SOX definition of an “internal control” is much more forgiving than the U.S. external auditors’ approach.

In C-SOX, an internal control is defined as a “process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives.”

The key words, Connally said, are “reasonable assurance.”

“This is hugely important,” Connally said. “Auditors are looking for absolute assurance. That’s too onerous.”