Sound assurance reviews require a common approach for procedures and reporting in assurance, evaluation, and non-assurance based engagements. These standardized approaches have been designed to:
- encourage a strategic and risk-based approach when selecting the scope and objectives of a planned internal audit;
- facilitate consideration the full spectrum of policy and related program implications of the planned subject matter;
- benefit from "best practice" approaches, procedures and templates.
- utilize the International Internal Audit (IIA) Standards and Internal Audit Standards for the Government of Canada; and
- utilize the Evaluation Standards of the Government of Canada.
icorp.ca has the expertise to support you in the following types of assurance reviews and evaluation engagements:
- Assurance engagements – to provide assurance on the design and operation of risk management strategies, management control frameworks, and performance information. Assurance is provided when an opinion is rendered, supported by appropriate evidence and designed procedures so that the risk of an inappropriate conclusion is reduced to a low level. Assurance engagements include: Management Control Framework (MCF) Audits; Compliance Audits; and Value for Money (VFM) Audits.
- Review engagements – Review services are objective examinations of evidence for the purpose of providing an independent assessment of the soundness of governance processes, risk management strategies and practices, management control frameworks and practices, and information used for decision-making and reporting. Review engagements include: Management Reviews; and System Under Development (SUD) Reviews.
- Consulting engagements – Consulting services represent an objective and constructive assessment of specific activities, policies, frameworks, processes and controls, and advisory analyses for the purpose of providing an analyses of the soundness of governance processes, risk management strategies and practices, management control frameworks and practices, and information used for decision-making and reporting. Consulting engagement categories include: Advise and Assists; Special Studies; RMAF & RBAF Development Support; and Program Activity Architecture (PAA) Support.
- Advice on Program and Performance Measurement Strategies – evaluation expertise and support for: Program Activity Architecture (PAA) advice; Data Collection Instruments and analyses; Departmental / Corporate Performance Measurement Strategies and techniques; and Program Performance Measurement Strategies and techniques.
icorp.ca's Results Based Management (RBM) Approach
Results-based management (RBM) is the over-arching management approach for achieving results and enhances transparency and accountability through program performance reporting and results-based evaluations. RBM is reliant upon monitoring a set of performance indicators and communicating performance information to ensure that processes, products and services are aligned with, and contribute to, the attainment of program objectives.
Our RBM approach is a comprehensive, life cycle approach to program management support that integrates program strategy, resources, processes, the program logic model, and performance measurement to improve decision-making and achieve results. A results-based evaluation approach is applied as an integral work instrument for shaping design, planning, execution, and reporting functions for program, policy, and initiative performance assessments, and sets out to determine whether the following key success factors have been met:
- Relevance of Results – the program, policy or initiative continues to make sense in terms of the priorities, needs or issues to which it is intended to respond;
- Success of Results – progress is being made toward the achievement of results at the outcome and impact levels;
- Cost Effectiveness of Results – the relationship between costs and results are reasonable, in relation to alternatives;
- Sustainability of Results – the results / benefits will continue after organizational / program investment ends or is modified;
- Appropriateness of Program Design – the design of the program is appropriate and based upon a sound understanding of the intentions, conditions, issues, and risks;
- Appropriateness of Resources Utilization – suitable resources (human, financial and physical) are being employed / utilized well; and
- Informed and Timely Action – anticipated change and appropriate action is achieved based upon sound and adequate information.
icorp.ca undertakes evaluations and assessment on behalf of clients as integral tools for program and policy managers to ensure that the department has timely, strategically focused, objective and evidence-based information on the performance of organizational policies, programs and initiatives to produce better results for Canadians. An example of a program evaluation continuum is illustrated below.
Certification / Review of Design of Internal Control Over Financial Reporting (ICFR)
In the private sector, under Multilateral Instrument 52-109, Certification of Disclosure in Issuers' Annual and Interim Filings, CEOs and CFOs must certify that they have designed internal control over financial reporting to provide reasonable assurance over the reliability of financial reporting and the preparation of external financial statements in compliance with generally accepted accounting principles. They must also certify that they have caused the company to disclose - in the annual or interim Management Discussion and Analyses (MD&A), as appropriate - changes in internal control that have had or may have a material effect on the company's internal control.
In the public sector, a similar requirement is set out in Treasury Board policy that requires the Deputy Head and the CFO to make representations that they have reviewed the effectiveness of the system of internal control over financial reporting to provide reasonable assurance over the reliability of financial reporting and the preparation of external financial statements in compliance with generally accepted accounting principles. They must disclose the results of their review in an annual departmental Statement on Internal Control that is to be disclosed in the Departmental Performance Report (DPR). The disclosure will also include any internal control deficiencies and actions that are being taken to correct material deficiencies, along with the Financial Statements Discussion and Analyses (FSD&A) disclosure.
These certifications represent significant undertakings and will require significant judgment on the part of the certifying officers.
What Is Required?
The requirements for certifying / reviewing the design of internal control are in place. As soon as possible, management needs to:
- establish an appropriate evaluation and oversight process; and
- implement procedures to evaluate the design of internal control over financial reporting and to ensure that significant changes in internal control can be identified so that appropriate disclosure can be made in the organization's MD&A.
The Audit Committee should also be involved, either from being heavily engaged in the oversight of the planning, execution and conclusion stages of the process, or to being only involved at a high level of monitoring the certifications. Whatever level of oversight the Audit Committee adopts, it is important that management understand the Audit Committee's expectations from the beginning and communicate openly with them throughout the process. Although certification / review is the responsibility of the CEO and CFO, that certification / review addresses an important financial reporting issue and has MD&A / FSD&A reporting implications that are serious accountabilities of the Audit Committee.
Design of Internal Control
Internal control over financial reporting is properly designed when those controls would be expected to prevent or detect errors or fraud that could result in material misstatements in the financial statements.
Evaluating the design involves:
- considering whether those controls, when in operation, would achieve this objective;
- determining whether the controls have been implemented (i.e. the control exists and the organization is using it); and
- considering whether appropriately qualified persons are intended to be carrying out the control.
Documenting Internal Controls
Documenting internal controls can be a significant undertaking. Determining the extent of documentation is a matter of judgment, influenced by the size of the organization, its business environment, and the complexity of its operations.
A "top-down, risk-based" approach can help decide how much documentation is required and where resources should be focused. Focus attention on where material errors could occur and the related key controls.
Internal controls can be documented through policies and procedures manuals or handbooks, narratives, flow charts, risk matrices, or some combination of these options.
Evaluating the Design of Internal Control
Typically in developing a design evaluation process, five major elements are considered:
Select an internal control framework
MI 52-109 does not require management to use a recognized control framework when evaluating the design of internal controls, however organizations typically use the framework of the Committee of Sponsoring Organizations of the Treadway Commission (COSO). COSO defines internal control, describes its components, and provides criteria against which management, Boards or other (Audit Committee or external auditors) can assess their control systems. Management should consider using such a framework because it provides an organized basis for evaluation, and is ever-greened internationally.
Assess the Design of Internal Control
To assess the design of controls, it is necessary to determine whether the control would effectively mitigate the identified financial reporting risk on a timely basis and whether the controls have been implemented.
Assess Whether the Controls are Operational
There are several techniques to assess whether the designed internal controls are in fact being used including inquiry / substantive inquiry, observation and / or inspection.
In addition the organization should consider using walkthroughs when evaluating the design of controls. Such walkthroughs provide evidence to:
- confirm an understanding of the process flow of transactions;
- confirm an understanding that activities are complete by determining whether all points at which misstatements could arise have been identified;
- evaluate the effectiveness of the design of controls; and
- confirm whether controls have been placed in operation.
Determine the role of internal audit
For organizations with an Internal Audit function, management should determine whether Internal Audit can effectively play a role in the evaluation of the design of internal controls. Internal Audit's participation could include documenting controls, performing walkthroughs for management or simply providing oversight of the process.
Address design deficiencies
During the evaluation, management may discover internal control design deficiencies. A deficiency exists when the assessor concludes that a control is not capable of effectively preventing or detecting a misstatement in the financial statements or when a control necessary to mitigate a risk is missing.
The Audit Committee should encourage management to remediate ineffectively designed controls prior to year-end. Prioritizing remediation requirements can help determine that available resources focus on those deficiencies of greater significance.
Management should discuss with the Audit Committee the process for dealing with deficiencies. Together, they should determine the types of deficiencies that management should bring to the Audit Committee's attention and the nature of such reporting.
Using the Design Evaluation for Future Evaluations of Effectiveness of Internal Controls
Certification / review of the effectiveness of internal control will require that the design evaluation process should dovetail with the organization's future need for an assessment of the effectives of internal control. The process for evaluating the effectives of internal control builds on the process for evaluating design. Significant incremental elements include:
- assessing if the control, when in operation, functions as designed;
- determining the consistency with which the controls were applied; and
- considering whether appropriately qualified persons are actually carrying out the control.
Carefully planned, the process for evaluating design can simplify the work required for the future evaluation of the effectives of internal control. The Audit Committee should encourage management to develop the design evaluation so it can be used to a maximum extent in the future evaluation of effectiveness of internal control.
External Auditor Involvement
Management may want help in documenting controls or evaluating the design of internal controls, or management and the Audit Committee may want to obtain some form of additional comfort on the assessment. External auditors can be asked to assist in various ways. For example, they may:
- provide advice and counsel regarding management's processes;
- assist in documenting specific processes or areas of the organizations's internal control over financial reporting;
- provide specialized resources to assist in complex areas such as information technology;
- review management's draft documentation, providing observations and recommendations;
- perform specified procedures determined by management, and report findings and, as appropriate, recommendations; and
- where warranted, provide an integrated audit of the company's internal control over financial reporting and its financial statements.
Management, the Audit Committee and the external auditors should consider these options, while the organization is developing its approach to this evaluation.
All organizations, regardless of size, need to develop a process to evaluate the design of internal control. The requirements for certifying / reviewing the design of internal control are now in place. Starting now will contribute to an effective evaluation and enable management to identify deficiencies early and prior to the reporting deadline. At the same time the Audit Committee should determine the extent of its involvement in the oversight of this process and communicate its expectations to management.
Do you have the assurance you need to support critical decisions? Do you have the assurance needed to discharge your fiduciary responsibilities? Is your current approach relevant and effective? icorp.ca's Assurance Review services can help you discern complex policy decisions. So, who is supporting your assurance review and evaluation strategy? GO THERE!™
For more information about icorp.ca's Insight expertise, contact us.