If you’re the CIO of a publicly held company, you’re well aware that you fit into the compliance picture. But if you’re not quite sure how large your piece of the canvas is, this article should give you a better understanding of whatyou’re facing.
In a nutshell, Bill 198 requires publicly held companies to implement internal controls over financial reporting and disclosure controls and procedures; evaluate the strengths and weaknesses of these controls; and certify to their effectiveness in official documents filed with Canada’s securities regulators. If this sounds a lot like Sarbanes-Oxley (SOX) it’s because that was the intent. Canadian authorities designed parts of Bill 198 to be very similar to SOX so that Canadian investors would not be tempted to send their capital to more regulated markets in the US.
Like SOX, the most fundamental element of Bill 198 is the requirement that companies adopt internal controls over financial reporting, demonstrate their effectiveness, and disclose the strengths and weaknesses of these controls.
Although Bill 198 does not directly address IT, it has significant IT and information security implications because most companies’ financial reporting and operations depend heavily on information technology. As such, the Bill affects IT in the areas of:
– Control: internal controls over financial reporting, and disclosure controls and procedures
– Evaluation: governance, measurement and recordkeeping, and
– Disclosure: reporting and certification
To understand the controls, evaluation and disclosure requirements, companies first need to understand Bill 198 in more detail.
The bill, and an instrument created to implement it known as MI 52-109, were designed to achieve two primary goals: to make sure that financial results reported to shareholders are accurate, and to prevent top management from placing the blame on subordinates or breakdowns in procedures not directly under their control.
MI 52-109 requires companies to file annual and interim certifications with securities regulators demonstrating that they have designed internal controls over financial reporting to ensure reporting reliability. It also requires proof that they have designed disclosure controls and procedures to ensure that required disclosures are made, and that all material information is made known to management.
Because IT is crucial to support and enable financial reporting and other company operations, the CIO must ensure that technologies and measures are adopted to meet these requirements. Unfortunately, the bare definitions of internal controls and disclosure controls represented in Bill 198 and MI 52-109 offer little guidance.
Overcoming barriers
CIOs can overcome this challenge and create an actionable compliance plan by breaking the Bill into three essential elements – Control, Evaluation and Disclosure – and by adopting processes and best practices for each area. For IT, this means: establishing internal IT controls for accurate financial reporting and asset protection; monitoring, testing, and evaluating the controls on a regular basis; and disclosing the effectiveness of the controls and any deficiencies, weaknesses, changes or fraud.
Developing internal controls. Bill 198 requires the CFO and CEO to certify in quarterly and annual reports that they are responsible for establishing and maintaining internal controls, and that these controls are designed to ensure that material information about the company and its subsidiaries is reported to such officers.
Unfortunately, the Bill itself does not define specific actions for “internal controls” in more detail. Two standards frequently cited for such detail are COSO and COBIT.
COSO is the controls framework recommended by the SEC under SOX. It focuses on reporting and operations-based controls for the accounting process, not information security processes.
For this reason, many companies have turned to COBIT (Control Objectives for Information and related Technology). Created by the Information Technology Governance Institute (ITGI), it focuses on IT governance using a framework of control objectives. ITGI defines corporate governance as a means of bringing IT decision-making into the same governance process that applies to other areas of the company’s operations, so that the company’s IT operations sustain and extend the company’s strategies and objectives.
As with SOX, COBIT may be a good starting point for CIOs seeking to comply with the internal control and disclosure control and procedures requirements of Bill 198. It addresses the three elements of “disclosure control and procedures requirements” under MI 52-109.
Organizations can begin to implement IT Control process and best practice for accurate financial reporting and asset protection by focusing on the following areas:
- Establish, document, and communicate processes;
- Establish and enforce separation of duties;
- Implement technology to assert and guide workflow (including change ticketing, event monitoring and correlation);
- Implement automated, independent, detective controls to detect inappropriate activities. This must also include controls that systematically detect when things happen outside the process.
Building an evaluation environment.
MI 52-109 does not stop at implementation of internal controls; it requires that the CEO and CFO objectively evaluate the effectiveness of these controls and annually report their effectiveness to regulators.
Ongoing evaluation is not a new topic for information security. With respect to Bill 198 compliance, the requirements translate into documenting processes and systems, risk analysis and mitigation controls, and key control test strategies for IT systems that impact financial reporting. Unlike typical information security testing processes, however, evaluation of internal controls must be done more than yearly and the results must be certified by the highest levels of management.
Organizations should prepare documentation of a number of processes on a quarterly basis and present it to auditors for review. For example, for the change governance and management process, be prepared with:
- Meeting minutes of change management meetings;
- Authorization processes;
- “Three ring binder” of stapled items, including: authorized work order; change report on infrastructure showing correct changes made; signature of change manager verifying correct implementation of change.
Each of these evaluation requirements feeds into the comprehensive disclosure requirements under Bill 198. Without effective evaluation of internal IT controls, companies cannot adequately meet the disclosure requirements outlined below.
Adhering to disclosure requirements. Control and ongoing evaluation would not benefit shareholders if companies were not also required to officially disclose the level of effectiveness (or ineffectiveness) of the controls. MI 52-109 requires companies to report how effective their internal controls have been on an interim and annual basis. The CEO and CFO must certify that they have disclosed any changes to internal controls over financial reporting that have materially affected (or are likely to materially affect) these internal controls.
Management should describe how their internal controls support and defend assertions about financial reporting, particularly with regard to completeness and accuracy. This includes controls over the data itself (including “upstream” data sources) as well as controls that govern changes to relevant supporting IT components (applications, infrastructure elements, etc.)
Essentially, these conclusions should discuss the likelihood that a material error that could impact financial reporting would go undetected. This generally includes a discussion of the detective, supervisory, and preventive controls that have been implemented, accompanied by examples showing any exceptions detected by these controls.
Disclosure requirements have some significant ramifications for IT and the CIO. The principals of the company cannot determine the effectiveness of internal controls or report on any weaknesses unless they have the ability to detect and audit changes to the systems that support these internal controls. This heightens the need for use of monitoring software and systems that will detect misuse by internal personnel (especially those with the ability to influence internal controls) and for policies and procedures that allow companies to monitor employee use of the company’s IT systems (and sanction them for misuse).
IT change auditing is foundational From an IT perspective, the requirement to disclose material weaknesses may compel companies to report a breach of security or a security vulnerability that might materially affect a company’s financial conditions or operations.
Undocumented or unauthorized change to IT systems is a key area of focus in defending assertions for Bill 198. Under SOX, it is common for external auditors to insist that organizations satisfy control objectives like, “All change must be auditable, and all unauthorized change must be investigated.”
It is common for IT organizations to attempt to satisfy this objective by implementing change management policies and preventive controls to guide people through the change authorization process. However, most IT organizations have no way to detect changes made outside their sanctioned change-approval process. They rely on the honour system. As auditors often remind us: trust is not a control, and hope is not a strategy.
Satisfying control objectives requires a foundational capability of monitoring all IT systems for change, then reconciling those detected changes with authorizations so that all unauthorized changes can be dealt with. This is achieved by using change auditing software to monitor the environment and provide a complete record of changes across the IT service stack.
The high price of failure An incident in 2002 demonstrated how a trusted insider might use security to reduce the stock value of a company to his advantage. In this incident, a systems administrator for UBS Paine Webber inserted a logic bomb in the systems of 1,000 company officers shortly before he resigned, and then purchased a number of put options for the firm’s stock in the hope that the stock would fall when the logic bomb caused systems to crash. Paine Webber spent more than $3 million to assess and repair the damage.
If UBS Paine Webber had been utilizing a change auditing program at the time of this incident, they would have been able to detect and remedy this situation before it impacted the business.
To meet the challenge of Bill 198, CIOs must ensure that their companies adopt a process of change management and auditing of IT systems and processes that affect financial reporting. Failure to do so can result in stiff sanctions. Officers who file certificates that contain misrepresentations can face quasi-criminal, administrative or civil proceedings under Canada’s securities laws, including penalties of up to $5 million.
The bottom line is that the law, and a company’s operations, will always change over time. It is incumbent on the CIO to ensure that the IT organization takes the proper steps for the organization to meet its compliance obligations moving forward.
QuickLink: 061995
Daniel J. Langin is the principal of Daniel J. Langin, Attorney at Law, LLC. He has over 16 years of experience in private and corporate practice, including twelve years of experience in technology, insurance coverage and intellectual property litigation and counseling. He can be reached at dlangin@langinlaw.com.
Dwayne Melancon, CISA, is VP of Corporate and Business Development for Tripwire, Inc. He has worked with the IT Process Institute on its research of best practices as well as with numerous corporations around the world on IT service management improvement.
This article is provided for general educational and informational purposes. It is not intended to provide legal advice.