Originally published August 2008

The Canadian securities regulators are adopting additional requirements for internal control over financial reporting, which will expand the current CEO and CFO certificates and require additional disclosure in MD&A. Accompanying these new requirements is extensive guidance on how disclosure and internal controls should be designed and evaluated. The new requirements are to come into force on December 15, 2008 and will apply to December 31, 2008 financial statements.

Background

The current rules (Multilateral Instrument 52 –109 Certification of Disclosure in Issuers' Annual and Interim Filings) require a public company's chief executive officer and chief financial officer, or persons performing similar functions, (CEOs and CFOs) to personally certify that:

  • the company's filings do not contain any misrepresentations (for annual and interim filings);

  • the financial statements and other financial information in filings is fairly presented (for annual and interim filings);

  • they have designed, or caused to be designed under their supervision, disclosure controls and procedures and internal control over financial reporting (for annual and interim filings);

  • they have evaluated, or caused to be evaluated under their supervision, the effectiveness of disclosure controls and procedures, and disclosed their conclusions in MD&A (for annual filings only); and

  • any change that has, or is likely to, materially affect the company's internal control has been disclosed in MD&A (for annual and interim filings).

The current rules are to be replaced by the new rules (National Instrument 52–109 Certification of Disclosure in Issuers' Annual and Interim Filings). The Canadian securities regulations are also to adopt new guidance (Companion Policy to National Instrument 52–109) on how the new rules are to be interpreted and applied, including how disclosure and internal controls should be designed and evaluated.

The CEOs and CFOs of companies whose securities are not listed on the Toronto Stock Exchange or another major U.S. exchange have been exempted from the requirements under the current rules to certify that they have designed and evaluated disclosure controls and procedures and designed internal control over financial reporting. Under the new rules, these companies will continue to be exempt from those requirements as well as the new certification and MD&A disclosure requirements. See "Venture and Debt-Only Companies" below.

Under the new rules, public companies will continue to not be required to obtain an external audit opinion for internal control over financial reporting, as is required for U.S. public companies.

New CEO and CFO Certification Requirements

Under the new rules, CEOs and CFOs will, in addition to the existing requirements, be required to make up to five additional certifications:

1. CEOs and CFOs must certify that they have evaluated internal control

CEOs and CFOs will be required to certify that they have evaluated, or caused to be evaluated under their supervision, the effectiveness of the public company's internal control over financial reporting at the financial year end, and disclosed in its annual MD&A their conclusions from this evaluation. This requirement only applies to annual certificates.

The new rules do not prescribe how CEOs and CFOs should evaluate internal controls. However, the new guidance provides considerable detail on how this requirement should be interpreted and applied. See "New Guidance on the Evaluation of Disclosure and Internal Controls" below.

2. Where a material weakness in internal control has been identified, CEOs and CFOs must certify that this has been disclosed in MD&A

If a public company determines that it has a "material weakness" in its internal control over financial reporting at the end of the period covered by its annual or interim filings, it is required to disclose in its MD&A for that period:

  • a description of the material weakness;

  • the impact of the material weakness on its financial reporting and internal control; and

  • its current plans, if any, or any action undertaken, for remediating the material weakness.

A "material weakness" means a deficiency, or a combination of deficiencies, in internal control such that there is a reasonable possibility that a material misstatement of the public company's annual or interim financial statements will not be prevented or detected on a timely basis. The new guidance provides that if the certifying officers identify a component of internal control that does not operate as intended, they should consider whether there is a compensating control that addresses the same financial reporting risk. If there is no compensating control, the public company would have a deficiency relating to the operation of internal control. A public company may have one or more mitigating procedures that reduce the financial reporting risks that the deficient internal control component failed to address and may disclose those procedures in its MD&A, but such disclosure should not imply that the mitigating procedures eliminate the existence of a material weakness. A public company is not required to remediate a material weakness that it identifies.

If a material weakness relating to either the design or operation of the internal control over financial reporting is identified, CEOs and CFOs will be required to certify that the required disclosure has been made in MD&A. This requirement will apply to both annual and interim certificates in the case of a material weakness in design, but only to the annual certificate in the case of a material weakness in operation.

3. CEOs and CFOs must certify that they have reported certain fraud to the auditors and either the board or audit committee

Under existing laws (National Instrument 51-102 Continuous Disclosure Obligations), the board of directors must approve a public company's annual MD&A, including the required disclosure concerning disclosure and internal controls, before it is filed. To provide reasonable support for the board of directors' approval of a company's MD&A disclosure concerning internal control over financial reporting, including any material weaknesses, the board of directors should understand the basis upon which the certifying officers concluded that any particular deficiency or combination of deficiencies did or did not constitute a material weakness. Similarly, current laws (National Instrument 52-110 Audit Committees) also require the audit committee to review a public company's financial disclosure and to establish procedures for dealing with complaints and concerns about accounting or auditing matters.

CEOs and CFOs will be required to certify that they have disclosed, based upon their most recent evaluation of internal control over financial reporting, to the company's auditor, and either the board of directors or audit committee, any fraud involving management or employees who have a significant role in those internal controls. This requirement only applies to annual certificates.

4. CEOs and CFOs must certify which control framework was used to design internal control

A public company will be required to use a control framework to design its internal control over financial reporting. Although the new rules do not mandate a specific control framework, the new guidance provides that the Risk Management and Governance: Guidelines on Control, published by The Canadian Institute of Chartered Accountants, is suitable. Other suitable frameworks are the Internal Control – Integrated Framework, published by The Committee of Sponsoring Organizations of the Treadway Commission (COSO), and the Guidance on Internal Control, published by The Institute of Chartered Accountants in England and Wales. Smaller public companies can also refer to Internal Control over Financial Reporting – Guidance for Smaller Public Companies, published by COSO, which provides guidance on the implementation of COSO's control framework.

CEOs and CFOs will be required to certify which control framework was used by the public company to design its internal control over financial reporting. This requirement will apply to both annual and interim certificates.

5. Where a proportionately consolidated or variable interest entity, or a recently acquired business, is excluded from disclosure or internal controls, CEOs and CFOs must certify that this has been disclosed in MD&A

The new rules permit a public company to limit its design of disclosure controls and procedures and internal controls over financial reporting to exclude:

  • proportionately consolidated entities or variable interest entities where there is not sufficient access to these entities to design and evaluate controls, policies and procedures carried out by that entity; and

  • businesses acquired not more than 365 days before the end of the applicable interim or annual financial period.

If a public company limits the design of its disclosure or internal controls in such a manner, its MD&A must disclose that limitation and contain summary financial information about the proportionately consolidated entity, variable interest entity or business acquired.

Also, in the case of such a limitation, the CEO and CFO will be required to certify that the required disclosure has been made in MD&A. This requirement will apply to both annual and interim certificates.

New Guidance on the Design of Disclosure and Internal Controls

The new rules do not prescribe how disclosure or internal controls should be designed, but the new guidance does provide the following:

Top down, risk-based approach – The Canadian securities regulators believe that a "top-down, risk-based approach" is an efficient and cost effective approach to design disclosure and internal controls. In the case of disclosure controls, the certifying officers identify the risks that could, individually or in combination with others, reasonably result in a material misstatement in annual filings, interim filings or other reports. In the case of internal control, the certifying officers identify those risks that could, individually or in combination with others, reasonably result in a material misstatement of the financial statements (financial reporting risks). When identifying risks, certifying officers should explicitly consider the vulnerability of the company to fraudulent activity. Certifying officers then design specific controls, policies and procedures that, in combination with the public company's control environment, appropriately address the risks identified.

Control environment – The Canadian securities regulators are of the view that an effective control environment contributes to the reliability of all other controls, processes and procedures by creating an atmosphere where errors or fraud are either less likely to occur, or if they occur, more likely to be detected, and also supports the flow of information within the public company, promoting compliance with its disclosure policies.

A key element of a public company's control environment is the attitude towards controls demonstrated by the board of directors, audit committee and senior management (the "tone at the top"). In addition to an appropriate tone at the top, certifying officers should consider the following elements of the control environment:

  • organizational structure – a structure which relies on established and documented lines of authority and responsibility may be appropriate for some companies, whereas a structure which allows employees to communicate informally with each other at all levels may be more appropriate for others;

  • management's philosophy and operating style – a philosophy and style that emphasizes managing risks with appropriate diligence and demonstrates receptiveness to negative as well as positive information will foster a stronger control environment;

  • integrity, ethics, and competence of personnel – controls, policies and procedures are more likely to be effective if they are carried out by ethical, competent and adequately supervised employees;

  • external influences that affect operations and risk management practices – these could include global business practices, regulatory supervision, insurance coverage and legislative requirements; and

  • human resources policies and procedures – hiring, training, supervision, compensation, termination and evaluation practices can affect the quality of a public company's workforce and its employees' attitudes towards controls.

Controls, policies and procedures to include in design – Disclosure controls and procedures should generally include the following components: written communication to the company's employees and directors of its disclosure obligations, including the purpose of disclosure and disclosure controls and procedures and deadlines for specific filings and other disclosure; assignment of roles, responsibilities and authorizations relating to disclosure; guidance on how authorized individuals should assess and document the materiality of information or events for disclosure purposes; and a policy on how the company will receive, document, evaluate and respond to complaints or concerns received from internal or external sources regarding financial reporting or other disclosure issues. A public company might choose to include these components in a formal disclosure policy. The Canadian securities regulators encourage (National Policy 51- 201 Disclosure Standards) public companies to establish a written disclosure policy.

Internal control over financial reporting should generally include the following components: controls of initiating, authorizing, recording and processing transactions relating to significant accounts and disclosures; controls for initiating, authorizing, recording and processing non-routine transactions and journal entries, including those requiring judgments and estimates; procedures for selecting and applying appropriate accounting policies that are in accordance with GAAP; controls to prevent and detect fraud; controls on which other controls are dependent, such as information technology general controls; and controls over the period-end financial reporting process, including controls over entering transaction totals in the general ledger, over initiating, authorizing, recording and processing journal entries in the general ledger and over recording recurring and non-recurring adjustments to the financial statements (e.g., consolidating adjustments and reclassifications).

Identifying significant accounts and disclosures and their relevant assertions – A top-down, risk-based approach to designing internal control involves identifying significant accounts and disclosures and the relevant assertions that affect each significant account and disclosure. A minimum threshold expressed as a percentage or a dollar amount could provide a reasonable starting point for evaluating the significance of an account or disclosure. However, certifying officers should use their judgment, taking into account the following factors when determining whether an account or disclosure is significant: the size, nature and composition of the account or disclosure; the risk of overstatement or understatement of the account or disclosure; the susceptibility to misstatement due to errors or fraud; the volume of activity, complexity and homogeneity of the individual transactions processed through the account or reflected in the disclosure; the accounting and reporting complexities associated with the account or disclosure; the likelihood (or possibility) of significant contingent liabilities in the account of disclosure; the existence of related party transactions; and the impact of the account on existing debt covenants.

The certifying officers then identify those assertions for each significant account and disclosure that presents a risk that could reasonably result in a material misstatement in that significant account or disclosure, including the following:

  • existence or occurrence - whether assets or liabilities exist and whether transactions and events that have been recorded have occurred and pertain to the company;

  • completeness - whether all assets, liabilities and transactions that should have been recorded have been recorded;

  • valuation or allocation - whether assets, liabilities, equity, revenues and expenses have been included in the financial statements at appropriate amounts and any resulting valuation or allocation adjustments are appropriately recorded;

  • rights and obligations - whether assets are legally owned by the company and liabilities are the obligations of the company; and

  • presentation and disclosure - whether particular components of the financial statements are appropriately presented and described and disclosures are clearly expressed.

The certifying officers do not need to design all possible components of internal control over financial reporting to address each relevant assertion, but should identify and design an appropriate combination of controls, policies and procedures to address all relevant assertions.

Corporate governance for internal control - The board of directors of a public company is encouraged to consider adopting a written mandate to explicitly acknowledge responsibility for the stewardship of the public company, including responsibility for internal control and management information systems.

Maintaining design – Following their initial development and implementation of disclosure and internal controls, and prior to certifying their design each quarter, certifying officers should consider: whether the company faces any new risks and whether each design continues to provide a sufficient basis for the representations about reasonable assurance required in their certificates; the scope and quality of ongoing monitoring of disclosure and internal controls, including the extent, nature and frequency of reporting the results from the ongoing monitoring of disclosure and internal controls to the appropriate levels of management; the work of the company's internal audit function; communication, if any, with the company's external auditors; and the incidence of weaknesses in disclosure controls and procedures or material weaknesses in internal control over financial reporting that have been identified at any time during the financial year.

Documenting design – The certifying officers should generally maintain documentary evidence sufficient to provide reasonable support for their certification of design of disclosure and internal controls. The extent of documentation for each interim and annual certificate will vary depending on the certifying officers' assessment of risk, as well as the size and complexity of the company's disclosure and internal controls. The documentation might take many forms (e.g., paper documents, electronic, or other media) and could be presented in a number of different ways (e.g., policy manuals, process models, flowcharts, job descriptions, documents, internal memoranda, forms, etc.).

Certifying officers should use their judgment, acting reasonably, to determine the extent and form of documentation, but the new guidance suggests certain minimum documentation. In the case of the design of disclosure controls and procedures, certifying officers should generally document the processes and procedures that ensure information is brought to the attention of management, including the certifying officers, in a timely manner to enable them to determine if disclosure is required, as well as, the items described in "Controls, policies and procedures to include in design" above.

In the case of the design of internal control over financial reporting, the certifying officers should generally document: the company's ongoing risk-assessment process and those risks which need to be addressed in order to conclude that the certifying officers have designed internal controls; how significant transactions, and significant classes of transactions, are initiated, authorized, recorded and processed; the flow of transactions to identify when and how material misstatements or omissions could occur due to error of fraud; a description of the controls over relevant assertions related to all significant accounts and disclosures in the financial statements; a description of the controls designed to prevent or detect fraud, including who performs the controls and, if applicable, how duties are segregated; a description of the controls over period-end financial reporting processes; a description of the controls over safeguarding of assets; and the certifying officers' conclusions on whether a material weakness relating to the design of internal control exists at the end of the period.

New Guidance on the Evaluation of Disclosure and Internal Controls

The new rules do not prescribe how certifying officers should evaluate disclosure or internal controls to determine if they are operating as intended, however, the new guidance does provide the following:

Scope of evaluation – The Canadian securities regulators are of the view that certifying officers can use a top-down, risk-based approach to evaluate disclosure controls and procedures or internal control over financial reporting in order to limit the evaluation to those controls and procedures that are necessary to address the risks that might reasonably result in a material misstatement. The scope of the internal control over financial reporting evaluation must be sufficient to identify any material weaknesses.

Use of external auditor – If a public company chooses to engage its external auditor to assist the certifying officers in the disclosure and internal controls evaluations, the certifying officers should be actively involved in determining the procedures to be performed, the findings to be communicated and the manner of communication. The certifying officers should not rely on internal control over financial reporting-related procedures performed and findings reported by the company's external auditor solely as part of the financial statement audit. However, if the external auditor is separately engaged to perform specified internal control over financial reporting-related procedures, the certifying officers might use the results of those procedures as part of their evaluation even if the auditor uses those results as part of the financial statement audit.

Evaluation tools – Certifying officers can use a variety of tools to perform their disclosure and internal controls evaluations. These tools include:

  • certifying officers' daily interaction with the control systems – this daily interaction could provide an adequate basis for the certifying officers' evaluation of disclosure or internal controls if the operation of controls, policies and procedures is centralized and involves a limited number of personnel. Reasonable support of such daily interaction would include memoranda, e-mails and instructions or directions from the certifying officers to other employees;

  • walkthroughs – tracing a transaction from origination, through the company's information systems, to the company's financial reports, can assist certifying officers to confirm that: they understand the components of internal controls, including those components relating to the prevention or detection of fraud; they understand how transactions are processed; they have identified all points in the process at which misstatements related to each relevant financial statement assertion could occur; and the components of internal controls have been implemented.

  • interviews of individuals who are involved with the relevant controls;

  • observation of procedures and processes, including adherence to corporate policies;"

  • reperformance - the independent execution of certain components of the disclosure or internal controls that were performed previously, including inspecting records whether internal (e.g. a purchase order prepared by the company's purchasing department) or external (e.g. a sales invoice prepared by a vendor), in paper form, electronic form or other media. An example of reperformance is inspecting whether the quantity and price information in a sales invoice agree with the quantity and price information in a purchase order, and confirming that an employee previously performed this procedure; and

  • review of documentation that provides evidence that controls, policies or procedures have been performed.

Certifying officers should use a combination of tools for the disclosure and internal controls evaluations. Although inquiry and observation alone might provide an adequate basis for an evaluation of an individual control with a lower risk, they will not provide an adequate basis for the evaluation as a whole.

The nature, timing and extent of evaluation procedures necessary for certifying officers to obtain reasonable support for the effective operation of a component of disclosure or internal controls depends on the level of risk the component of disclosure or internal controls is designed to address. The level of risk for a component of disclosure or internal controls could change each year to reflect management's experience with a control's operation during the year and in prior evaluations.

Self-assessments – A walk-through or reperformance of a control, or another procedure to analyze the operation of controls, performed by an individual who might or might not be involved in operating the control could be done by personnel who operate the control or members of management who are not responsible for operating the control. The evidence of operating effectiveness from self-assessment activities depends on the personnel involved and how the activities are conducted. When one certifying officer has performed a self-assessment, it is appropriate for the other certifying officer to perform direct testing of the control to enable that officer to have a basis to sign his or her certificate.

Documenting evaluations – The certifying officers should generally maintain documentary evidence sufficient to provide reasonable support for their certification of disclosure and internal controls evaluations. The extent of documentation used to support the certifying officers' evaluations of disclosure and internal controls for each annual certificate will vary depending on the size and complexity of the company's disclosure and internal controls. To provide reasonable support for a disclosure and internal controls evaluation the certifying officers should generally document: a description of the process the certifying officers used to evaluate disclosure and internal controls; how the certifying officers determined the extent of testing of the components of disclosure and internal controls; a description of, and results from applying, the evaluation tools discussed in "Evaluation tools" above or other evaluation tools; and the certifying officers' conclusions about the operating effectiveness of disclosure and internal controls, as applicable, and whether a material weakness relating to the operation of internal controls existed as at the end of the period.

New Guidance on the Use of a Service Organization or Specialist for Internal Control

Where a public company outsources a significant process to a service organization, such as payroll or other bookkeeping services, the certifying officers might identify the need for controls, policies and procedures relating to the outsourced process. Certifying officers should consider whether: the service organization can provide a service auditor's report on the design and operation of controls placed in operation and tests of the operating effectiveness of controls at the service organization; the certifying officers have access to the controls in place at the service organization to evaluate the design and effectiveness of such controls; or the company has controls that might eliminate the need for the certifying officers to evaluate the design and effectiveness of the service organization's controls relating to the outsourced process. If a service auditor's report is available, the certifying officers should evaluate whether the report provides them sufficient evidence to assess the design and effectiveness of controls relating to the outsourced process, including considering the following factors: the time period covered by the tests of controls and its relation to the as-of date of the certifying officers' assessment of the internal control; the scope of the examination and applications covered and the controls tested; and the results of the tests of controls and the service auditor's opinion on the operating effectiveness of controls. Where a service auditor's report is not available, the certifying officers do not have access to controls in place at the service organization and the certifying officers have not identified any compensating controls performed by the public company, a material weakness may exist.

Where a public company arranges for a specialist to provide certain specialized expertise such as actuarial services, taxation services or valuation services, certifying officers should ensure the public company has controls, policies or procedures in place relating to the source data and the reasonableness of the assumptions used to support the specialist's findings. The certifying officers should also consider whether the specialist has the necessary competence, expertise and integrity.

Venture and Debt-Only Companies

Under the new rules, the CEO and CFO certificates for a venture public company (i.e. a public company not listed on the Toronto Stock Exchange or a major U.S. exchange) will be abbreviated and will not refer to disclosure controls and procedures or internal control over financial reporting. Venture public companies will also not be required to include the related disclosure in their MD&A. The CEO and CFO certificates for a venture public company will include a note to readers explaining how the certificate differs from that of a non-venture public company.

U.S. Reporting Companies

As under the current rules, public companies that comply with U.S. laws regarding certification and internal controls are exempt from providing the certification and MD&A disclosure required in Canada, as long as they file their U.S. certifications and related documents with the applicable Canadian securities regulators.

About Trevor Scott

Trevor Scott is a solicitor at Farris and provides strategic and legal advice in diverse business areas. He has extensive experience in debt and equity financings for public and private companies, representing both issuers and investment banks. He also regularly advises on business acquisitions, divestments and take-over bids, including compliance issues with the Competition Act and assisting foreign investors with Investment Canada Act matters. Trevor also advises on corporate governance matters.

If you wish to discuss any aspect of this commentary, please contact Trevor Scott or any member of Farris' Securities Practice Group.

© 2008 Farris, Vaughan, Wills & Murphy LLP

This summary is necessarily of a general nature and should not be construed as the giving of legal advice. You are urged to seek legal advice on areas of specific interest or concern.