This is the third article of a three-part series covering persuasive evidence as it relates to internal control systems.
The CEO and CFO are required to certify various matters to their securities administrators under NI 52-109. These certifications are based on the existence of an effective system of internal control and management is expected to obtain persuasive evidence to support the conclusion that those controls are effective. What constitutes persuasive evidence is a matter of judgment, but the public nature of the certifications elevates both the quality and quantity of evidence required, putting a higher degree of responsibility on management.
With that mandate in mind, there are two areas that should be given specific consideration by management and the board of directors:
1. Processes and controls
To successfully identify relevant risks and related process-level controls, it is necessary to have a clear picture of business processes and the flow of information. Typically management demonstrates this understanding by describing it in a flowchart or narrative, which should address activities starting when a transaction is initiated and continuing until it is reported in the financial statements. Management then uses the flowchart/narrative to identify risks (what-could-go-wrongs) and the related controls that mitigate those risks.
Written documentation of how, when and by whom controls are executed increases the accountability of the control owners, makes the established control procedures more difficult to circumvent and facilitates the transfer of ownership of controls in case of personnel turnover. Furthermore, it is the basis for obtaining persuasive evidence of the existence and operation of an effective system of internal controls.
2. Management Review Controls (MRCs)
Review by knowledgeable and engaged management is essential to an effective system of internal control, especially for those areas of the financial statements involving significant judgment and subjectivity. However, it can be more difficult to obtain sufficient evidence about how MRCs have been designed and if they are operating effectively. As judgment and complexity increase, so can the potential for a higher risk of material misstatement—meaning the persuasiveness of the evidence required to demonstrate the design and operating effectiveness of the MRC increases.
The challenge with many MRCs is well described in the COSO Framework, which states “controls that require a significant degree of judgment cannot be performed entirely in the minds of senior management without some documentation of management’s thought process and analyses.” When individuals executing MRCs do not fully document their thought processes, it is difficult—sometimes impossible—to properly assess the effectiveness of the controls. For example, a well-documented MRC should include an indication of the precision of the control (i.e., what would be further investigated) and the resolution of any investigated outliers. While these can be highly judgemental decisions, formalizing thresholds for follow-up strengthens the effectiveness of the control.
Key questions to consider before certifying