Governance Rules and Expectations are Changing…what does this mean to your organization? CAUBO 2004 Brian G. Brown Director - Corporate Audit Services

AGRICORE UNITED Largest Agri-business in Western Canada Established by merger of United Grain Growers Limited (UGG) and Agricore Cooperative in November 2001 Listed on the Toronto Stock Exchange (“AU”)

AGRICORE UNITED 3 Core Businesses: Grain Handling, Crop Inputs (Retail), Livestock Services 80 elevators, 200 retails, 10 feedmills, 4+ port terminals, 7 distribution centres, 8 special crops plants, 3 research facilities Joint Ventures, Investments, Subsidiaries Significant relationships with Scotiabank (Credit), Swiss Re (Risk Management), Archer Daniels Midland (Strategic Alliance)

AGRICORE UNITED (2003) Sales $2.7 billion Revenue from Services $410 million Assets $1.6 billion Net Loss = $2.4 million Cash Flow from Operations $60 million 2500 Employees

INSTITUTE OF INTERNAL AUDITORS Global governing body for the practice of Internal Auditing 93,000 members worldwide in 243 affiliates & chapters 11 chapters in Canada with 4000 members Professional Guidance including the Standards for the Professional Practice of Internal Auditing Certification - CIA, CFSA, CGAP, CCSA

What we are going to discuss today... How did we get into this situation? What are the new Canadian regulations? Are there other Governance initiatives? What’s coming? How are Publicly-traded organizations responding? What does this mean to Universities and other public institutions? Are there any benefits? Do the regulations really matter?

History –Canada was a world leader: MacDonald Commission TSX - “Where were the Directors?” COCO –Other countries developed guidance: Cadbury - UK Treadway (COSO) - USA –Late 1990’s: “5 Years to the Dey” - Canada NYSE Blue Ribbon Commissions –Saucier Report (2001)

Why the recent increase in interest in Corporate Governance? Boondoggle after Boondoggle (in the public and private sector) Enron Worldcom Livent Nortel HRDC Sponsorship Scandal

THE PUBLIC HAS LOST CONFIDENCE !

Sarbanes Oxley (SOX) - USA’s immediate response (January 2002) Section 302 (CEO/CFO CERTIFICATION) Section (INTERNAL CONTROL EVALUATION AND EXTERNAL AUDITOR ATTESTATION) Effective November 15, 2004 or July 15, 2005

More patience in Canada……what should we do, if anything? OSC Chair/TSX President exchange public correspondence Business and various groups debate Time-lines for implementation Does Canada need tighter regulations? Principles or rules? Effect on smaller listed companies?

What are the new Canadian Regulations…….(CSA/OSC)? NI Continuous Disclosure NI Accounting Principles NI Auditor Oversight NI CEO/CFO Certification NI Audit Committee

KEY POINTS Continuous Disclosure: New filing deadlines: –annual financial statements within 90 days of year-end (previously 140 days) –interim financial statements within 45 days of quarter- end (previously 60 days) Auditor Review: –Must disclose if no external auditor review of interim statements

KEY POINTS Acceptable Accounting Principles and Auditing Standards Public companies that are not SEC (USA) registrants –financial statements must be in accordance with Canadian GAAP –must be audited in accordance with Canadian GAAS

KEY POINTS Auditor Oversight Audit Report on public company financial statements: –prepared by an auditor registered with Canadian Public Accountability Board (CPAB) –auditor must be in compliance with CPAB

KEY POINTS CEO/CFO Certification “Bare” Certification (now in effect) –quarterly certification of financial statements and MD & A –no misrepresentation or omission of material fact –fair representation (no GAAP reference) of: financial condition results of operations cash flows

KEY POINTS CEO/CFO Certification Beginning with year-ends after January 1, 2005, additionally certify that: –designed disclosure controls (quarterly) –designed procedures and internal controls over financial reporting (quarterly) –evaluated the effectiveness of disclosure controls (annually) –reported changes in internal controls over financial reporting

KEY POINTS CEO/CFO Certification…….clarifications Certification of filings: –CEO & CFO must certify they have reviewed documents No Misrepresentation: –based on their knowledge –disclosure and internal controls must be adequate to provide knowledge Fair Presentation –based on their knowledge –present fairly in all material respects the financial condition, results of operations, and cash flows –present fairly goes beyond GAAP requirements

KEY POINTS Audit Committees Applies commencing with Annual Meetings after July 1, 2004 written charter composition - independence, financial literacy external auditor relationship pre-approve all non-audit services procedures for receiving complaints and anonymous submissions concerning accounting, internal controls, or auditing matters (whistleblower rule) additional disclosure

What other issues/initiatives are affecting governance? Shareholder activitism (eg. CCGG) CBCA Banking, insurance regulations Enterprise Risk Management Accounting guidelines Government scandals

What’s Coming in the near future? OSC Effective Corporate Governance (ED Period ended, currently under review) Best Practices for effective governance –Board Composition, mandate, training, etc –Code of Business Conduct and Ethics –Nominations –Compensation –Board Assessment

What’s Coming in the near future? Certification of effectiveness of internal controls over financial reporting External Auditor attestation (OSC Exposure Draft expected September 2003)

Impact on publicly-traded organizations……………. Time, Cost, Distraction, Disclosure, Documentation…….. For what benefit?

Impact on publicly-traded organizations……………. 4 key areas: 1. Certifications 2. Disclosure Procedures & Controls 3. Internal Controls over Financial Reporting 4. Whistleblowing

Certifications Establish sub-certification process involving key executives/officers/others –determine who will be involved –how often and when –format of the certificates Certifying all key financial info being disclosed externally - it must be provided to the sub- certifiers SHARING LIABILITY???

Certifications - Impact Operating management more focused on financial reporting Greater awareness of implications Nervousness, uncertainty Increased papertrail Monitoring, review, and follow-up of the sign-offs Increased Legal Dept involvement Time and cost

Disclosure Procedures and Controls What does this mean? Provide reasonable assurance that.. –Required disclosure recorded, processed, summarized & reported on timely basis –such information is accumulated and communicated to management including the CEO & CFO Information that underlies the “numbers”…. –Significant contracts –business developments –workforce relationships –legal proceedings

Disclosure Procedures and Controls What do we need to do? Establish a Disclosure Committee Review current/existing practices for keeping “Corporate Office”/CEO/CFO up to date Review financial statement “closing” procedures Implement regular (eg. Quarterly) meetings between Disclosure Committee and key finance and operations management

Disclosure Procedures and Controls What do we need to do? Ensure continuous flow of communication from operating divisions to “corporate” Implement a “review process” for all relevant external disclosure - link to sub-certifications Document everything Minute meetings Develop an ongoing disclosure review process - “evaluation” (eg. Internal Audit)

Internal Controls over Financial Reporting What are these? Provide reasonable assurance regarding reliability of financial reporting effected by BOD, management, & other personnel focus tends to be on “detective” controls - eg. Would fraud be caught?

Internal Controls over Financial Reporting Must certify that controls have been designed –How do you know? –How do you know if they are adequate? Anticipated future certification that controls have been evaluated by management MAJOR PROJECT!! Identify, document, assess adequacy, evaluate effectiveness

Internal Controls over Financial Reporting - Project Outline Phase 1: Planning & Scoping –identify internal skills and resources –determine if external support is required and, if so, whom –establish a project team with mgmt support –develop training plan –develop project scope –select control framework (eg. COSO)

Internal Controls over Financial Reporting - Project Outline Phase 2: Risk Assessment and Prioritization –de-consolidate the financial statements –identify key processes that drive financial reporting –establish criteria for risk assessment (including materiality level) –evaluate the identified processes and risk rank (workshop approach)

Internal Controls over Financial Reporting - Project Outline Phase 3: Documentation of Controls –determine who is responsible for documentation vs review of processes –complete an inventory of existing documentation –establish schedules and deadlines –establish documentation protocol/format –train team leaders on documentation process –complete documentation, including Control Environment and Computer General Controls

Internal Controls over Financial Reporting - Project Outline Phase 4: Evaluation and Testing –review documentation and test controls for effectiveness Phase 5: Identify & Correct Deficiencies –review identified issues and develop improvements –establish remediation plan and assign Phase 6: Report on Controls –report results to CEO/CFO

Whistleblowing Audit Committee must ensure procedures are in place –method for employees and others to “safely” report concerns about financial reporting, fraud, etc. –determine who in the organization will be responsible for investigating and reporting –complaints must be tracked –investigation and follow-up documented –report statistics and significant issues to Audit Committee

What about universities, public institutions, and other not-for profits? Pause…….. then get on with it…...

Impact on universities and other public organizations….. Private - sector regulations will become “best practices” Stakeholders will expect all organizations to have implemented many of these requirements The public will be less tolerant to financial errors/mis-statements, scandals, surprises, etc.

All this work….. Are there benefits beyond compliance?

All this work……are there any benefits? Increased management awareness of responsibilities for internal controls Potential operational process improvement Improved internal communications Deterrent to fraud Less surprises Increased Public Confidence…..maybe

Will these initiatives matter? Rules, regulations, structures, documentation, certification, reporting will help but…...

Nothing matters more than INTEGRITY

Governance Rules and Expectations are Changing…what does this mean to your organization? CAUBO 2004 Brian G. Brown Director - Corporate Audit Services

Questions? Comments?