Regulators and public issuers are casting an eye to the south to understand the implications of introducing an internal control reporting regime. A report on the U.S. experience indicates asset-management firms should be particularly attentive, even privately held companies, as this kind of rule can reach far beyond public companies.

The Canadian Securities Administrators is proposing an internal control reporting rule that essentially mimics the one crafted by U.S. legislators, known as SOX 404 (after its section number in the Sarbanes-Oxley Act). In short, SOX 404 requires public companies to maintain adequate internal controls, to audit those controls and disclose any deficiencies they uncover. On its face, the requirements sound unremarkable, but U.S. companies have found the implementation more onerous than expected.

The CSA’s rule isn’t final. It was published for comment earlier this year, drawing a slew of input from issuers and other industry players. Many have argued that regulators should reconsider their plans, saying the costs may outweigh the benefits. However, regulators seem committed to a rule that is substantially similar to the one adopted in the U.S.

Assuming that regulators remain convinced that some sort of internal control reporting rule is necessary, issuers hope that regulators will learn from the U.S. experience. They recommend cushioning the blow of implementing the rule by taking a risk-based approach to assessing controls and focusing more on entity-level controls, not drilling right down to individual transactions as was done in some cases in the U.S.

It appears that the CSA is open to some of these suggestions. “The CSA is in the process of considering the comments we received on [the proposed rule] — as well as recent developments in the U.S. relative to SOX 404, as well as internationally — to determine what the approach ought to be in Canada,” says Susan Wolburgh-Jenah, vice chair of the Ontario Securities Commission in Toronto.

As the regulators examine the U.S. experience, the asset-management business may be well advised to follow suit and contemplate how the U.S. rules have impacted money-management firms south of the border. A recent report from TowerGroup Inc., a Needham, Mass.-based financial services consulting firm, reveals that although SOX 404 requirements apply only to publicly traded firms, the obligations they impose on those issuers can filter down into firms that aren’t public but do business with public companies that are directly subject to the rule.

The report focuses on U.S. asset managers, pointing out that although publicly traded firms, such as Janus Corp., must comply with the requirements for their own operations, privately held firms that supply services, such as money management, to public companies must be able to attest to the quality of their internal controls to satisfy these clients. Also, any private firm that wants to sell itself to a public one, issue debt, raise capital by way of private placement or carry out an initial public offering has to comply with the rules. “It is clear that even though all aspects of SOX do not apply to all private companies, as a practical matter Sarbanes-Oxley impacts the private sector to a large degree,” the report notes.

In Canada, there are just a handful of publicly traded asset managers who will probably be directly affected by the adoption of an internal control reporting regime. But, if the U.S. experience is any guide, many other asset managers could also be affected.

The asset-management subsidiaries of the large banks and insurers will have to ensure their controls are up to standard to satisfy their parent companies’ obligations. And private firms that provide money-management services to public companies, or portfolio-management functions to publicly traded fund companies, also could be affected.

Not only will internal control reporting requirements impact a good number of asset managers, but the kind of services they provide may be subject to scrutiny. The TowerGroup report notes there may be internal control weaknesses in the investment process: “…from the areas visible to clients, such as reporting and billing, to portfolio trading, investment operations and fund services that are behind the scenes.”

Some of the concerns in these areas can be assuaged by technology. For example, TowerGroup says these new obligations “will help tip the scale and lead asset managers to invest in more automation [of] the trading process.” If a smaller firm couldn’t justify the technology investment in the past, it may decide it’s better to spend some money rather than risk losing clients that can’t be confident in its controls.

@page_break@Although technology may provide some solutions, TowerGroup says, these new demands are “not a technology event. It is primarily a governance process, in that certifying officers cannot rely on the chain of command internally or at their vendors to manage risk.”

Increased automation may help remove some of the risk inherent in manual processes, but firms won’t simply be able to rely on new systems to assure compliance. Instead, the demands of an internal control reporting regime may be a new source of pressure to improve governance — at a time when regulators are explicitly emphasizing better governance at fund firms (such as contemplating rules requiring independent review committees, compliance plans and manager registration. See page 14).

So far, the Canadian industry hasn’t given these issues too much thought. John Murray, vice president of regulation and corporate affairs at the Investment Funds Institute of Canada in Toronto, says IFIC hasn’t heard many concerns from its members about the possible implications of the imposition of internal control reporting obligations. As a result, IFIC hasn’t yet examined the subject itself.

Similarly, the sell side doesn’t appear worried. “I expect our members that are publicly traded companies will comply with requirements for maintenance, supervision and certification of internal controls set by the CSA,” says Paul Bourque, senior vice president of member regulation at the Investment Dealers Association of Canada in Toronto.

While issuers in many industries are concerned about the cost of compliance, Bourque says, the devil will be in the details. “The costs of implementation will depend on how the CSA implements the regulations. It could be a phased or tiered approach,” he says.

The CSA has already made some modifications to the U.S. rule to accommodate the differences in the Canadian markets. As Wolburgh-Jenah notes, the CSA proposal includes a couple of significant deviations from the U.S. rule: delaying implementation, only applying it to senior issuers and phasing in the requirements based on issuer size. The CSA has also said it will direct its rule toward a less onerous, top-down, risk-based approach. But it remains to be seen whether companies and auditors will take an easier stance on internal control reporting if there is legal liability involved.

One type of issuer that won’t be affected by the new requirements is mutual funds themselves. Wolburgh-Jenah notes that SOX 404 doesn’t apply to so-called “registered investment companies” in the U.S., nor will the Canadian version apply to mutual funds (regardless of whether they are organized as corporations or trusts).

But there is some upside to all this. U.S. firms have found that, by being forced to focus on and fix their internal controls, they can also reduce their operational risk. This lesson was highlighted during a panel discussion of the issue at the OSC’s annual conference in mid-November.

The TowerGroup report also notes this positive side effect in the U.S. asset-management industry, although, it says, the benefit doesn’t outweigh the cost. “It is difficult to quantify how costs will be impacted by Sarbanes-Oxley compliance, either directly or indirectly,” the report says. “Asset managers that gain business intelligence and implement process and technology enhancements as a result of SOX will find some value, but not nearly enough to offset the expense.”

Hopefully, like the regulators, Canadian financial firms will also learn some lessons from the U.S. implementation experience before they face internal control reporting obligations here. IE