Audit Point of view
What is persuasive evidence as it relates to
internal control systems?
This is the third article of a three-part series covering persuasive evidence
as it relates to internal control systems.
The CEO and CFO are required to certify various matters to
their securities administrators under NI 52-109. These
certifications are based on the existence of an effective
system of internal control and management is expected to
obtain persuasive evidence to support the conclusion that
those controls are effective. What constitutes persuasive
evidence is a matter of judgment, but the public nature of the
certifications elevates both the quality and quantity of
evidence required, putting a higher degree of responsibility on
management.
With that mandate in mind, there are two areas that should
be given specific consideration by management and the board
of directors:
1. Processes and controls
To successfully identify relevant risks and related processlevel controls, it is necessary to have a clear picture of
business processes and the flow of information. Typically
management demonstrates this understanding by describing
it in a flowchart or narrative, which should address activities
starting when a transaction is initiated and continuing until it is
reported in the financial statements. Management then uses
the flowchart/narrative to identify risks (what-could-gowrongs) and the related controls that mitigate those risks.
Written documentation of how, when and by whom controls
are executed increases the accountability of the control
owners, makes the established control procedures more
difficult to circumvent and facilitates the transfer of ownership
of controls in case of personnel turnover. Furthermore, it is
the basis for obtaining persuasive evidence of the existence
and operation of an effective system of internal controls.
2. Management Review Controls (MRCs)
Review by knowledgeable and engaged management is
essential to an effective system of internal control, especially
for those areas of the financial statements involving
significant judgment and subjectivity. However, it can be
more difficult to obtain sufficient evidence about how MRCs
have been designed and if they are operating effectively. As
judgment and complexity increase, so can the potential for a
higher risk of material misstatement—meaning the
persuasiveness of the evidence required to demonstrate the
design and operating effectiveness of the MRC increases.
The challenge with many MRCs is well described in the
COSO Framework, which states “controls that require a
significant degree of judgment cannot be performed entirely
in the minds of senior management without some
documentation of management’s thought process and
analyses.” When individuals executing MRCs do not fully
document their thought processes, it is difficult—sometimes
impossible—to properly assess the effectiveness of the
controls. For example, a well-documented MRC should
include an indication of the precision of the control (i.e., what
would be further investigated) and the resolution of any
investigated outliers. While these can be highly judgemental
decisions, formalizing thresholds for follow-up strengthens
the effectiveness of the control.
Key questions to consider before certifying
•
Does our documentation support management’s
assessment that the five components and 17 principles
of internal control are present and functioning and that
the components are working together in an integrated
manner?
© 2017 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms
affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
The KPMG name and logo are registered trademarks or trademarks of KPMG International.
kpmg.ca
•
•
•
•
How do we ensure that MRCs are comprehensively
documented/evidenced, particularly in areas of high
judgment and complexity that are material to the financial
statements?
Do our auditors think our processes and controls,
especially MRCs, are well-documented?
How would improving the documentation and operation
of internal controls impact our audit?
Would this make the audit more effective and efficient?
Contact us
Ellen Breen
Partner
T: 403 691 8085
E: [email protected]
© 2017 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms
affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
The KPMG name and logo are registered trademarks or trademarks of KPMG International.
kpmg.ca