Michael Crolla:
A good risk assessment will focus on the business itself and mitigating those risks as opposed to checklists and tick boxes.
Narrator:
Welcome to Accounting for the Future, a BDO Canada podcast for financial leaders to navigate change, and achieve business growth. We'll uncover the challenges financial leaders may not have dealt with yesterday, but will definitely have to manage for the future.
Anne-Marie Henson:
Hello and welcome to Accounting for the Future. I'm your host, Anne-Marie Henson. On today's episode, I'm joined by two BDO partners, Michael Crolla, a partner in our assurance group who leads our capital markets and public company services practices and John Asher, a partner who leads our risk advisory practice in Western Canada and who helps clients with establishing and maintaining internal controls among other things. So I'm really looking forward to speaking to the both of you today.
Michael Crolla:
Happy to be here.
John Asher:
Thanks for having us.
Anne-Marie Henson:
So we're talking about a very relevant topic today that I'm sure you have discussions with both of your clients about on a regular basis, and it's about the importance of establishing and maintaining internal controls, especially in a public company environment. So you've both had a lot of experience working with public companies or companies that are trying to go public, and we've seen an increased focus on internal controls, especially from regulators these days. So I'm really looking forward to getting your thoughts on this. I want to start, John, maybe with yourself. Tell us a little bit about what the Canadian regulatory landscape is like for public companies today and who oversees internal control requirements from an external governance perspective.
John Asher:
Yeah, of course, Anne-Marie. So in Canada, the regulatory landscape for public companies is really multifaceted and involves several levels of oversight to really ensure the integrity of financial reporting and the internal controls that feed into financial reporting. So the regulator is the Canadian Securities Administrators, and there's the Securities Commissions within the provinces, but they all are underneath the CSA or the Canadian Securities Administrators. So that body plays the vital role in establishing this framework and the regulations for public companies and what they have to adhere to. So in Canada, public companies are required to maintain a robust system of internal control over financial reporting or what sometimes the folks will refer to as ICFR. So this system is designed to provide a reasonable assurance regarding the reliability of financial reporting and ultimately the preparation of financial statements for external purposes to ensure they're in accordance with GAAP or Generally Accepted Accounting Principles. So what the regulations require is for chief executive officers and chief financial officers of public companies excluding the venture issuers, so they're mandated to certify on the design and operating effectiveness of their company's internal controls over financial reporting. So again, this certification process really is that critical component of governance and really holds senior management directly accountable for these controls.
Anne-Marie Henson:
That sounds like a lot. First off, I just want to thank you. We have a lot of subject matter experts that come onto the podcast, and the fact that you already defined the ICFR for us is really great because sometimes we accountants and auditors tend to use acronyms that we assume everybody knows. So thanks for that as a starting point. And it sounds like a lot of things that executives and management of public companies need to comply with and be aware of as they're trying to maintain their internal control environment. So other than what I'd assume would be the obvious consequences of either penalties or being de-listed if they don't comply, can you explain to us why it's so important for a company to establish and maintain a strong internal control environment?
John Asher:
Yeah, absolutely. And I like how you said company and not public company because what I'm about to say really rests for all companies, whether public or not, and really establishing and maintaining a strong internal control environment is really essential for many reasons. One, financial integrity is a key point. Having robust internal controls ensures accuracy and reliability of financial reporting. And I know it is the case with public companies, but really for all companies too, it really is crucial for maintaining investor confidence or stakeholders of that entity to ensure the financial statements really reflect the true financial position of the company. We talked about regulatory compliance, so that's obviously key. And then really the third is risk management, and that's my area of expertise at really ensuring that you have the proper internal controls to address the areas of highest risk for the organization.
So think about fraud, think about human error, misstatements, those type of things. Having strong internal controls will really help, never eliminates it, but minimize those risks of misstatements or fraud. So really it is the backbone, internal controls as the backbone of corporate governance. It really helps provide the processes and procedures to help ensure a company operates effectively in addition to complying with the regulations that we had talked about earlier.
Anne-Marie Henson:
Thanks, John. And I actually, I love what you're saying that first off, this applies to all companies, whether private or public, and I really like the risk management aspect of it. Recently we did an episode with Alan Mack who's a forensics partner at the firm. And we talked a lot about fraud and all the quite fascinating cases we've seen play out in the public in recent years, and the importance of maintaining strong internal controls to never eliminate, but at a minimum, mitigate things like fraud risk. And we talked a lot about the tone at the top, which I think is a lot of what you're saying, just establishing an environment where everyone from the management to the staff and boards and audit committees of a company understand the importance of continuing to think through the internal controls and are they effective and making sure that they're always in that mindset of continuous improvement.
So I like what you said there. I think it's really important for all companies, no matter whether they're listed or not. Michael, maybe over to you. I know you've audited many public companies throughout your career so far, so can you tell us a little bit about why from an audit perspective it would be important to have a strong control environment?
Michael Crolla:
Yeah, of course. And I think next time I'm going to ask to go before John speaks. So no, he really hit the nail on the head on a number of different points there. And I'll just say that for public companies, as you mentioned, there's a regulatory environment associated with that. So first off, it's required if you're listed on the main board for the TSX. Venture issuer is a different story as mentioned, but management in the audit committee may need to provide certain disclosures or certifications as mentioned, and those sign-offs are real things. So it's important for an audit committee to be aware of the internal control system and management to be aware of ensuring that those controls are operating effectively. From our perspective as an auditor, a company with a more robust controlled environment suggests a few things to me. I'll even take off the auditor hat for a second and just talk about whether you're an investor or a user of the financial statements, and that's if a company is placed an importance on their risk assessment.
It talks a little bit more about the seriousness of how they view the business and not only from that audit perspective and looking at specific risks that an auditor may be focused on, but a good risk assessment will focus on the business itself and mitigating those risks as opposed to checklists and tick boxes, which sometimes people can be focused on. A proper risk assessment will start just understanding where those risk areas lie, and having that strong management team that focuses on the risks and understanding that profile will lead it on a journey to ensure that there is proper controls in place. So start there, understand the risks, and then from there you can focus a little bit more on the design and implementation.
Anne-Marie Henson:
Yeah, I like what you're saying there, Michael, and I guess this is a bit of my wheelhouse or my comfort zone as well in terms of an auditor of public companies. And I think there is something to be said as well, it's not just about an auditor's ability to rely on controls or change its audit approach, but I think there is something to be said about even when we go to our risk assessment or our client acceptance process, which all audit firms have to do at some point. When you know that there's a very strong control environment, that there's a good governance process and that there's a lot of emphasis placed on ensuring that those are maintained in a company, it gives us comfort as auditors that there is at least a certain part of that that we may be able to rely on.
It could reduce our audit risk, so it's always great to see from our side as well. So on top of the benefits internally to a company and externally to its stakeholders, I think there's a big benefit as well in terms of the relationship with the auditor and what reliance can be placed on that. So thanks for that. So these are all really great things, and it's clear that there are a lot of advantages to implementing and maintaining this strong control environment, but there have to be some challenges that companies face in terms of being able to do this successfully. So can you maybe John, tell us about what you've seen in your role because you actually help companies establish internal control processes and testing and stuff like that. So maybe with your experience, you can let us know what are some of the bigger challenges that companies face when they're trying to do this, and also what could they do to overcome those challenges?
John Asher:
Yeah, absolutely, Anne-Marie. I mean, one of the challenges that we see that is pretty common is having the resources to actually test the controls. You can imagine the finance department busy trying to get the financial reports, the finance statements and filings out on time. This is often a side of the desk type of project for some organizations and they may not have the prominence as other key functions in finance, and they don't have the luxury of having, say, an internal audit shop or an internal audit function that has the resources to do this. So that's usually number one. Two is even just having the skills within the organization to do so. Again, most Canadian public companies are, we're a mid-market country, and so they often don't have the internal expertise or within finance or separate functions to do that. Also, some of our clients are very busy with acquisitions, and so anytime you have an acquisition, you're bolting on another set of controls, you're bolting on another set of information systems.
And typically it takes a couple of years to really ingrain say the parent company's controls over the sub. And the more entities and geographies you have in play, the more different types of systems and controls you have. And sometimes it could be a bit of a mish mosh of controls, so that can create a lot of challenges. Technology, I mentioned systems, but not leveraging the right technologies to support your internal control function as well. So I think those are some of the big things that. And then Anne-Marie, I'm going to steal a word that you used earlier, tone at the top. Some organizations just don't put importance on this. Inherently, they do with internal controls, but not on the regulatory aspects of making sure that there's a testing of the design and effectiveness. It's more of like, "Okay, this is a regulatory headache that we have to do. Let's just get through this as quickly as possible."
And sometimes that's the sentiment, right? So if you do have that tone at the top, that leadership buy-in, it can really result in a very strong internal control program that really will help mitigate any risks and there's actually more benefits than pain points. So you asked your second question on mitigations, and Michael talked about this, risk assessments and not just on internal controls, but really at an enterprise level. Where are the key risks for the organizations? And I think a regular risk assessment should be done at least annually with quarterly monitoring to assess if there's been any changes. Training and development for staff performing these functions. As we know, maybe not so much the case this year, but last year there was a lot of turnover in the market within finance and risk professionals. And so by properly training your people in-house and developing them, and hopefully they're more likely to stay and you don't have to reinvest in hiring new people. And then lastly, I would just say technology. There's a lot of good systems out there that support internal control programs and really integrate the business with say, the internal audit function or the service provider that's going to help test the controls. So yeah, that that'd be the way I'd speak to that point there.
Anne-Marie Henson:
Yeah, thanks for sharing that. I think it's important to see that even if you don't have the resources internally or that you talked about the Canadian landscape being more of a mid-marketplace so sometimes we just don't have the resources that other countries might in terms of ensuring that we maintain a strong internal control environment like with an internal audit team or things like that, that there are things at their disposal such as great systems that can help them do this in the absence of people or being able to outsource that function to an outside firm where if someone leaves or if you do acquire a new business, that you don't have to worry that it's going to put undue strain on your existing tight resources within the organization. So I think those are all really great things to consider. And I think it's clear, we've seen it before, that if a company stayed static and never changed, then its control environment would be perfect.
But we all know that that's not the case. And it's great to see our clients acquiring businesses, expanding to new countries and updating or upgrading their technology. So these are all really important things for the business, but things that can put a lot of pressure on an internal control environment if they're not careful and ensuring that they're considering these things as they change and evolve their company. So Michael, in your interactions with your public company clients, we deal a lot with audit committees as a very crucial part in ensuring a certain level of governance over things such as internal controls. So what would you say would be some of the top qualities that an audit committee should have or things that they should consider to ensure that they're maintaining a strong governance over the environment of internal controls at a company?
Michael Crolla:
I hate to give the classic auditor or accountant answer of it depends, but of course sometimes it does. But it does depend of course on the nature of the industry and the business and what that business is doing. You guys have chatted a little bit about what that looks like depending on what the business is doing in terms of expanding, where it wants to go and where it wants to be, and understanding the risks associated with that. If it is being international, being acquisitive, just there's different things to consider. Each business has unique needs and cultures, to be frank. So the responsibilities of the audit committee from the get-go should be defined in the appropriate charter just to get started from what that looks like on a day one basis. Of course, that should be regularly reviewed and updated, but it does give that first framework of what the audit committee members and what are their responsibilities.
They should be focused on areas that will have the most impact. As I think it was mentioned earlier, you cannot eliminate all inherent risk to business or to what you're doing, but I think focusing on some of the key ones will help mitigate that. And if you do focus on all of them, it's going to be an extremely inefficient process, both for the audit committee at that higher level, but as well as for management as well as for the team below. It could just create some unnecessary bureaucracy that may not be needed. So I think understanding the big picture and where to focus is a key quality for an audit committee member.
Of course, having financial literacy is key. Understanding of business, understanding control frameworks and independence is fundamental to be effective on an audit committee and reviewing that control framework regularly. The world continues to evolve and change, and there's different risks that we're talking about on this right now that could affect the business as you look into the future. So staying up to date and understanding the effects of these changes will be key. I would say an audit committee member should also challenge management in certain areas that understand the business and its financial statements and have that relationship with management where they can have an open dialogue about certain issues and how it affects the financial reporting. Being involved is an important part of the job, and there may be more in terms of involvement than ever before. As mentioned, the world's changing and we just need to... An audit committee member will have to probably go beyond just those formal committee meetings and the role may evolve into just requiring more work throughout the year. So I think people that are in this role or thinking about being in this role should be aware of that because I think it is changing from just having those quarterly type meetings and being more involved through the year. So we chatted about tone at the top, so ultimately the audit committee will be responsible for that function and ensuring that that filters through to management and through the organization as well. But it's important to set an open and transparent relationship with those leading, whether it is management or an internal audit function, and that includes understanding both the strengths and weaknesses of the environment so you can implement improvement points ahead and as needed.
Anne-Marie Henson:
I think what you said that struck me the most is the fact that you should really focus on key areas or key priorities. We'd all love to have a perfect control environment, but that could lead, like you said, to a lot of inefficiencies and it's not necessary. And finding a way to not boil the ocean and really focus on the key areas, which would probably for a company be revenues or acquisitions or areas that have a lot more judgment would probably be a great place to start. And it's actually a perfect segue into my next question for you, which is about companies that are maybe not public yet, but they're considering listing. We're all anxiously awaiting the IPO market opening back up and being a great place for companies to raise capital. So in looking forward to perhaps the second half of 2024 or 25 as being a good time for a company to perhaps go public, what would you say to a company that's looking to have an improved or a better control environment as it prepares to perhaps list?
Michael Crolla:
Yeah, that's a great question. And I think I would start by saying that this is a journey and it takes time. Finding items that you can, as you implement controls, is not necessarily an issue for example. As you go through this process and you may find, "Oh, something was missed, we can fix that." To me, it suggests that the controls may actually be working if you are finding those issues. So that could be a good thing, but it is something that just does take time. And if you, I think try to do too much too early, you may not get the buy-in throughout the organization as needed. So as we talked about, focus on some of those key issues or key areas that may have a little bit more risk. Try to mitigate that first, see how it's working, and then obviously keep implementing as you go along and adjusting as you go along.
I think it's extremely important if you're considering listing, you have to have the right team alignment and very constructive relationships between whether it's audit committees, boards, management, internal audit and external audit to be honest. So all those different groups need to interact together and ensure that there's alignment in how they want to see things progress through that journey. I will add it's an investment in people, time and of course dollars. So that needs to be factored in when you are going through a listing process. Sometimes things like this get overlooked when it comes to controls, where people may be focused on just getting maybe perhaps a deal over the finish line and make sure it's timely, but it is important that this does get invested in. John made a comment earlier just about our economy and how from a global perspective, it may be more mid-market in a sense, and sometimes that gets overlooked when you're trying to list perhaps in the US and there the control environment could be extremely different than what we have in Canada right now.
So if you're looking perhaps to do that down the road, you need to prepare, you need to make sure that you're investing appropriately because it is a bit of a venture. And if you're opening up to list in different jurisdictions for different types of funding or what may be available out there, you need to make sure that you have the proper controls in place and that you're meeting the regulatory requirements in that jurisdiction. So it is an ongoing process. The audit committee or members of it need to constantly evaluate the performance of both the management team and the auditor, but also how the committee also operates itself.
Anne-Marie Henson:
Thanks for that. And no, it's true that it's so important to realize, I like what you said about it being a journey because it really is and recognizing that it's a journey, you should start well before you decide to go public for sure, to give you that time to learn what works and what doesn't for your organization, because you definitely want controls that mitigate risk, that address the key issues that are important and critical for your organization, but that are also agile or nimble and allow you to grow and expand and acquire without providing so much red tape. So I really like that everything you said, and also just making sure that you're aware if you're trying to raise money in other countries, even though you could be trying to raise money in a country that's even smaller than Canada, from a capital markets perspective at least, could have more stringent control requirements. So always really, really important to make sure you inform yourself before you go out there. John, maybe one final question for you about advice you might have for companies, but more with regards to optimizing or improving their internal controls.
John Asher:
Yeah, no, a hundred percent. I mean, there's a few things that I would definitely recommend. One would be we're starting with regulatory monitoring. So typically these are annual exercises, but last thing you want to do is wait a year to find out a control is not working or maybe it's not designed the way that it's supposed to be. So it'll continually keep your eye on controls and make changes when they come up as opposed to wait till the end of the year when you're going through your CEO and CFO certification process. We talked a bit about risk assessments and we continually have used that word, so I say continually do them. Ensure that controls are managing the current risk effectively. And again, that helps adapt to changes in the business environment. And we know we're in a very, I guess, dynamic or volatile time with the markets these days. And so controls and businesses are changing, and so make sure that you're continually doing those risk assessments and making sure that the controls are adequately managing those risks. Flexibility and scalability is something else that's really important. I think some organizations will try to manage controls like they did at their previous, but no two organizations are alike. Do something, if you have a small public company, come up with a simple approach that's scalable and then allow it to grow with the organization and as challenges come up. Fourthly, I'd say, and I mentioned the streamline and simplify. Avoid control creep. Control creep, meaning avoiding adding more controls for the sake of having controls. Surprising that I have experience with some very large public companies that are even Fortune 500 companies and then some very small companies and the small companies have way more controls than some of these Fortune 500 companies. And it's a result of failing to be scalable and simplify the process. And it creates a lot more work and a lot more, whether it's time or cost, if you're outsourcing it.
Ensure collaboration within the organization, within the key function, so IT, internal audit. Everyone working together in a smart way enhances collaboration, and it just really strengthens the control environment. Ensure you have clear roles and responsibilities too, and I think that's really important to identifying what everyone's roles are within the organization and specifically when it relates to internal controls.
A couple left that I can recall that I would really recommend, leverage technology. There's so many tools out there, we keep hearing about generative AI. I think that's something that's going to be seeing its head rear in this space quite a bit. Its early days, but be at the forefront of using innovative technologies. And at a minimum, there's a lot of GRC or governance risk and compliance tools out there that can really support the documentation of internal control testing and really the inventory of them.
Continually train and develop your staff. I think that actually studies have shown that that actually helps retain staff, and we know how expensive it is to go out and hire people, but it also helps strengthen your control environment. The more developed, the stronger people are more less likely to prevent errors or human errors in the conduct of controls. And last and probably most important is leadership commitment. We talked about tone at the top, but it's really important that there's strong commitment from leadership to ensure that staff are knowledgeable and that they're aware of regulations, but also continually investing in the enhancement of internal controls. So to round it all out, by focusing on those areas, I think you can really create a robust framework for internal controls, that only complies with regulatory compliance, but also supports achievement business objectives and really managing risks, which is really key for organizations.
Anne-Marie Henson:
That was fantastic. Thank you so much, John. This is super informative and I think hopefully provides a good basis for companies to either start or just improve their internal control process. So Michael and John, I'd really like to thank you today for your valuable time and input. I hope our audience appreciated this discussion. I'd also like to thank you, our listeners, for tuning in today and to all of our episodes. I'm Anne-Marie Henson, and this has been BDO's Accounting for the Future. Please let us know if you found the topic interesting and useful, and remember to subscribe if you liked it. We'll see you next time.
Narrator:
Thank you for listening to BDO Canada's Accounting for the Future. Past episodes and related insights are available at www.bdo.ca/accountingforthefuture. Or you can go to Apple Podcasts, Spotify, or Google Podcasts to subscribe. For more information on BDO Canada, visit bdo.ca.