Assessing and Reporting on Internal Controls The Implications

Assessing and Reporting on Internal Controls: The Implications of Sarbanes-Oxley and Bill 198 • Shelley Tremblay and Peter Laureshen • Pricewaterhouse. Coopers Presentation to • Petroleum Joint Venture Association (PJVA) • March 16, 2004 Pw. C

Agenda • The New Reporting Environment • U. S. Sarbanes-Oxley Act and Canadian Bill 198 Rules • Elements of an Internal Control Framework • Front line Feedback – Pw. C Survey Results • Challenges for Oil and Gas Companies • Conclusions 2 Pw. C

The New Reporting Environment 3 Pw. C

What is driving the new reporting requirements? The Recent Failures The Responses • Dotcoms, Nortel, Cisco • Enron • Adelphia • World. Com • Tyco • Parmalat • Hollinger • Mutual Fund Industry • U. S. Sarbanes-Oxley Act (2002) or “SOx” • Canadian Bill 198 and Multilateral Instrument 52109 (2003) or “CSOx” 4 Pw. C

What has Changed? Truth or Consequences! The penalties for a CEO and/or CFO for providing a false certification of financial information under the Sarbanes-Oxley Act are now substantial ! Years in Jail: a) b) c) d) e) 1 -2 years 3 -5 years 10 -20 years 11 -14 years 20 -25 years Escaping from prison Kidnapping involving Ransom Incorrect SOx Certification Second Degree Murder Hijacking 5 Pw. C

U. S. Sarbanes-Oxley Act and Canadian Bill 198 Rules 6 Pw. C

U. S. Sarbanes-Oxley Act (“SOx”) The U. S. Sarbanes-Oxley Act of 2002 contains 11 Titles and 66 Sections. Title I – Public Company Accounting Oversight Board. PCAOB formed as branch of Securities and Exchange Commission (SEC). Public Auditing firms must register with PCAOB and are now brought under the regulation of the PCAOB. Title III – Corporate Responsibility. Section 302 establishes certification requirements for CEOs and CFOs of Annual and Quarterly reports filed with the SEC. Title IV – Enhanced Financial Disclosures. Section 404 (a) requires management to assess and report on internal controls, and Section 404 (b) requires the company’s External Auditor to attest to and report on management’s assertions on internal controls. 7 Pw. C

PCAOB Auditing Standard for Attestation of Internal Control Report On March 9, 2004, the PCAOB adopted “Auditing Standard No. 2, An Audit of Internal Control over Financial Reporting Performed in Conjunction with an Audit of Financial Statements”, the attestation standard referred to in Section 404(b). Implementation has been delayed for “Issuers” and “Accelerated Filers” and is now effective for companies whose fiscal years end on or after November 15, 2004 (original date was September 15, 2003, then June 15, 2004). For “Foreign Private Issuers” (including most Canadian companies), implementation is effective for companies with year-ends on or after July 15, 2005. 8 Pw. C

Canadian Bill 198 In June 2003, the Ontario Securities Commission (“OSC”) and the Canadian Security Administrators (“CSA”) published for comment three new corporate governance rules, collectively referred to as Bill 198: • Multilateral Instrument 52 -108 Auditor Oversight • Multilateral Instrument 52 -109 Certification of Disclosure in Companies' Annual and Interim Filings (“CSOx”) • Multilateral Instrument 52 -110 Audit Committees Multilateral Instrument 52 -109 (CSOx) is basically adopting SOx Section 302 with an emphasis on Disclosure Controls and Procedures (DC&P). The issue of whether to implement a SOx Section 404 equivalent certification with an emphasis on Internal Controls over Financial Reporting (ICFR) and External Auditor attestation has been tabled pending further study. 9 Pw. C

CSOx Rules - CEO/CFO Certification Interim Filings – CEO and CFO to certify that they: • Are responsible for Internal Controls over Financial Reporting (ICFR), and Disclosure Controls and Procedures (DC&P). • Have designed Internal Controls over Financial Reporting (ICFR) to provide reasonable assurance that financial statements are fairly presented in accordance with GAAP. • Have designed Disclosure Controls and Procedures (DC&P) to provide reasonable assurance that material information is made known to them by others within the issuer and its consolidated subsidiaries. • Have indicated in the MD&A any changes to Internal Controls over Financial Reporting (ICFR) that has materially affected, or is reasonably likely to materially affect, the issuer’s Internal Control over Financial Reporting. 10 Pw. C

CSOx Rules - CEO/CFO Certification Annual Filings – In addition to certification in interim filings, CEO and CFO to certify that: • They have evaluated the effectiveness of Disclosure Controls and Procedures (DC&P). • They have presented their conclusions on those controls in the annual MD&A. Filings to be Certified • Annual Information Form (AIF), annual financial statements, annual MD&A, interim financial statements and interim MD&A 11 Pw. C

CSOx Rules - Implementation Timeframe Phased-in approach to meeting requirements: Instrument comes into force on March 30, 2004. Annual certificates apply for financial years beginning on or after January 1, 2004. However, Transitional “Bare Certificate” can be filed for financial years ending on or before March 30, 2005. The “Bare Certificate” requires that the CEO and CFO certify that: • They have reviewed the filings. • The filings do not include any untrue statement of a material fact or omit to state a material fact. • The financial statements along with other financial information, fairly present financial conditions, results of operations and cash flows. 12 Pw. C

Summary - Addressing the Requirements of SOx and CSOx Disclosure Requirements LEGEND Operations Financial Reporting Disclosure Controls and Procedures Compliance Internal Controls over Disclosure Requirements Internal Accounting Controls Internal Controls Over Financial Reporting (Including footnotes) Disclosure Controls and Procedures Controls and other procedures designed to ensure information required to be disclosed by issuer is recorded, processed, summarized and reported in a timely manner. 13 Pw. C

Elements of an Internal Control Framework 14 Pw. C

Definitions Disclosure Controls and Procedures (DC&P) • Provide reasonable assurance that: • information required to be disclosed is recorded, processed, summarized and reported within the time periods required. • such information is accumulated and communicated to the issuer’s management, including the CEO and CFO, in order to allow timely decisions regarding required disclosure. • Apply to material financial and non-financial information to be included in public reports so that investors are fully informed. • Broader than Internal Controls over Financial Reporting (ICFR), and inclusive of ICFR to the extent it impacts disclosures. 15 Pw. C

Definitions (cont. ) Internal Control over Financial Reporting (ICFR) • Provide reasonable assurance on the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with GAAP and addresses: • maintenance of records that accurately and fairly reflect the transactions and dispositions of the assets of the issuer • reasonable assurance that transactions are recorded to permit the preparation of financial statements in accordance with GAAP, and that receipts and expenditures are made in accordance with authorizations of management and directors; and • reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use or disposition of assets that could have a material impact on the financial statements. 16 Pw. C

The Five Components under the COSO Framework Monitoring § Assessment of a control system’s performance over time. § Combination of ongoing and separate evaluation. § Management and supervisory activities. § Internal audit activities. Control Environment Information and Communication • Pertinent information identified, captured and communicated in a timely manner. • Access to internal and externally generated information. • Flow of information that allows for successful control actions from instructions on responsibilities to summary of findings for management action. • Sets tone of organization-influencing control consciousness of its people. • Factors include integrity, ethical values, competence, authority, responsibility. • Foundation for all other components of control. All five components must be in place for a control to be effective. 17 Control Activities • Policies and procedures that ensure management directives are carried out. • Range of activities including approvals, authorizations, verifications, recommendations, performance reviews, asset security and segregation of duties. Risk Assessment • Risk assessment is the identification and analysis of relevant risks to achieving the entity’s objectives, forming the basis for determining control activities. Pw. C

Front Line Feedback – Pw. C Survey Results from January 22 -23, 2004 Pw. C Survey of 120 SOx 404 Project Leaders from major corporations attending a Sarbanes-Oxley Conference held in New Jersey 18 Pw. C

Front Line Feedback – Snap Shot 1. Nearly 75% of respondents have seen a significant increase in the level of effort required to comply with SOx 404 as compared to original estimates. About 1/3 of these saw increases of more than 75%. 2. Respondents reported difficulties in the following areas: • • Level of Testing required Documentation Multiple Locations Evaluating Control Weaknesses Initial Scoping Outsourced Processes Global Support Specialty Processes e. g. treasury/tax 19 95% 89% 65% 63% 59% 46% 35% 33% Pw. C

Front Line Feedback – Snap Shot 3. Respondents reported that the areas where their companies are most likely to need remedial work to fix problems prior to certification are: • • • Manual controls Computer controls (excluding security) Security Fraud Financial reporting Audit Committee 20 72% 65% 54% 44% 35% 13% Pw. C

Front Line Feedback – Snap Shot 4. Respondents reported they intend to make improvements in the following areas in future to streamline compliance. • • Risk identification and assessment Financial Reporting Internal Audit Compliance Management IT Security Strategy and Implementation IT Oversight and Operations Risk Mitigation Processes 21 67% 50% 46% 44% 41% 33% Pw. C

The Challenges Ahead for Oil and Gas Companies 22 Pw. C

Oil & Gas Exploration & Production Some Internal Control challenges for E&P Companies? • Production accounting (reconcile to measurement and delivery points; production allocations) • Revenue accounting (involving commodity trading, derivatives, inventory hedging) • Reserves estimates (conflicting US, Canada rules) • Joint Interest accounting (reliance on Land, DOI) • Accuracy of Division-of-Interest (DOI) across all IT systems (Production, Reserves, Revenue, JI Acct, Land, Budgeting) 23 Pw. C

Oil & Gas Exploration & Production Joint Venture Arrangements • Assess significance of Non-operated Properties in terms of quantitative and qualitative materiality factors, and in relation to company’s significant accounts and disclosures. • Challenge is to obtain appropriate comfort over Internal Controls over Financial Reporting (ICFR) of Operators. – JV Audit Process – Controls over JV Billing Process – Validation of revenues vs. expenditures 24 Pw. C

Oil & Gas Exploration & Production Oil and Gas Companies Recently in the News: • Royal Dutch Shell – Reserve estimates reduced by 20%. Cascading reserve reductions by companies and trusts with interests in Shell-operated properties. • El Paso - Reserve estimates reduced by 35 -40%. Disclosed values of reserves exceeded Independent Reserve Estimates. • BP – Reduced reserves estimates by 2 -3%. 25 Pw. C

Conclusions 26 Pw. C

Conclusions The world has changed for CEOs, CFOs, Directors, Audit Committees, Auditors, and for Management and Employees, albeit in different ways. The bar has been raised (or lowered), and …for some, the “bars” will close! The short-term challenges for corporations are project related. The longer term challenges are creating a sustainable compliance program that fully integrates compliance steps into routine management practices. Some companies are not going to make it. Some companies will have significant deficiencies, some companies will receive negative opinions from their auditors. The capital markets will determine the consequences. 27 Pw. C

Contact Details Shelley Tremblay, Manager and Peter Laureshen, Manager Pricewaterhouse. Coopers LLP Suite 3100, 111 - 5 th Avenue SW Calgary, Alberta, Canada T 2 P 5 L 3 Shelley: (403) 296 -4007 Peter: (403) 509 -7485 Email: shelley. tremblay@ca. pwc. com Email: peter. laureshen@ca. pwc. com PASC www. petroleumaccountants. com PJVA www. pjva. ca 28 Pw. C