Effective December 15, 2008, the Canadian Securities Administrators (“CSA”) have replaced Multilateral Instrument 52-109 – Certification of Disclosure of Issuers’ Annual and Interim Filings, and its related forms and companion policy (collectively, the “Old Rules”) with National Instrument 52-109 – Certification of Disclosure of Issuers’ Annual and Interim Filings, and its related forms and companion policy (collectively the “New Rules”). In conjunction with the New Rules, the CSA also made consequential amendments to National Instrument 51-102 – Continuous Disclosure Obligations. The New Rules apply to all reporting issuers other than investment funds.
The purpose of the New Rules is to “improve the quality and readability of reporting issuers’ annual and interim disclosure”. The New Rules incorporate a number of new requirements and are similar to rules currently in effect in the United States adopted by the Securities and Exchange Commission (“SEC”), with a few notable exceptions. For example, unlike the SEC, the CSA will not require external auditor attestation.
The changes in the New Rules are of greatest significance to non-venture issuers that do not make filings with the SEC under Rules 302 and 404 of the Sarbanes-Oxley Act (“SOX”) and cannot rely on exemptions available for issuers that make such filings with the SEC.
The New Rules distinguish between venture and non-venture issuers1. A non-venture issuer is subject to more onerous requirements under the New Rules than a venture issuer. Under the New Rules, a non-venture issuer is required to:
- establish and maintain internal control over financial reporting (“ICFR”) and disclosure controls and procedures (“DC&P”);
- disclose material weaknesses (if any) relating to the design and operation of its ICFR and permitted limitations (if adopted) on the scope of the design of its ICFR and DC&P in its management discussion and analysis (“MD&A”); and
- use a control framework to design its ICFR.
A non-venture issuer is also required to provide additional certifications regarding ICFR and DC&P in its annual and interim certificates required to be filed under the New Rules. Separate certificates have been developed by the CSA for annual and interim filings of nonventure issuers and venture issuers. The form of certificate for venture issuers does not require certifications relating to ICFR and DC&P2.
In addition, there are alternative certificates for annual and interim filings following an initial public offering, a reverse takeover or an issuer becoming a non-venture issuer, for annual filings in connection with a voluntarily filed annual information form, and for re-filed annual and interim filings. A certificate filed under the New Rules is required to be dated the same date the certificate is filed.
The following describes the significant changes to the certification requirements of non-venture issuers that are included in the New Rules3.
Evaluation of Internal Control over Financial Reporting
One of the most significant changes imposed under the New Rules is the requirement that certifying officers4 (the “Officers”) provide an annual certification regarding the evaluation of the issuer’s ICFR. The Old Rules only required the evaluation of the issuer’s DC&P. The New Rules require Officers of a non-venture issuer to certify in the annual certifications that:
- they have evaluated, or caused to be evaluated under their supervision, the effectiveness of the issuer’s ICFR at the financial year end; and
- the issuer has disclosed their conclusions about the effectiveness of the issuer’s ICFR in the MD&A.
As noted above, the New Rules do not require issuers to obtain external auditor attestation as required in the U.S.
Control Framework for Issuers
As noted above, the New Rules require nonventure issuers to use a control framework to design its ICFR. The control framework used by a non-venture issuer is required to be identified in the Officers’ annual and interim certifications. The control framework used by the issuer to design its ICFR should be a control framework that is established by a body that has followed due process procedures. In that regard, the CSA identifies examples of suitable frameworks in the New Rules5.
Material Weakness Relating to Design and Operation
As noted above, a non-venture issuer is required to disclose material weaknesses in the design of its ICFR in its annual and interim MD&A. In addition, material weaknesses relating to operation that are identified during the annual evaluation of effectiveness of the issuer’s ICFR must be disclosed in the issuer’s annual MD&A. A “material weakness” is defined as “a deficiency, or a combination of deficiencies, in ICFR such that there is a reasonable possibility that a material misstatement of the reporting issuer’s annual or interim financial statements will not be prevented or detected on a timely basis”.6 If the issuer determines that it has a material weakness, the Officers must certify for the applicable filings that the issuer has disclosed the following in its related MD&A for each material weakness existing at the end of the reporting period:
- a description of the material weakness;
- the impact of the material weakness on the issuer’s financial reporting and its ICFR; and
- the issuer’s current plans, if any, or any actions already undertaken, for remediating the material weakness.
Limitations on Scope of Design
The New Rules permit a non-venture issuer to limit its design of DC&P and ICFR in certain circumstances to exclude controls, policies and procedures of a proportionately consolidated entity or a variable interest entity in which the issuer has an interest or a business that the issuer acquired not more than 365 days before the last day of the financial period covered by the certificate. If the issuer has limited its design of DC&P and ICFR as permitted under the New Rules, the Officers are required to certify for both the annual and interim filings that such limitations, together with summary financial information about the proportionately consolidated entity, variable interest entity or business that the issuer acquired that has been proportionately consolidated or consolidated in the issuer’s financial statements, have been disclosed in the MD&A.
Reporting to Auditors, Board and Audit Committee
Under the New Rules, Officers are required to certify in the annual certification that they have disclosed, based on their evaluation of the ICFR, to the issuer’s auditors and audit committee (or the full board), any fraud that involves management or other employees who have a significant role in the issuer’s ICFR.
New Companion Policy
The new companion policy is significantly expanded, and provides important guidance to issuers and Officers with respect to designing, evaluating the operating effectiveness of, and certifying ICFR and DC&P. The companion policy also gives examples of suitable control frameworks that an issuer could use to design ICFR, discusses outsourcing significant processes (such as payroll and bookkeeping services) to service organizations, provides guidance on the identification and treatment of material weaknesses, and discusses the role of the board of directors and audit committee. Officers are strongly urged to read the companion policy carefully.
Exemption for Compliance with U.S. Laws
Issuers in compliance with the SOX 302 and 404 Rules may be able to file with the CSA, instead of the certificates required by the New Rules, the certificates and management’s annual report on ICFR and the attestation report on management’s assessment of ICFR that the issuer files with or furnishes to the SEC. Issuers may not rely on the exemption if the filings they file with or furnish to the SEC differ from those made in Canada. Issuers that do not certify quarterly financial statements and MD&A that are filed with or furnished to the SEC on Form 6-K will not be able to rely on the exemption with respect to interim filings.
The New Rules came into effect on December 15, 2008. Accordingly, the New Rules will immediately impact those reporting issuers with financial periods ending on or after December 31, 2008. The Old Rules will continue to apply to Officer’s certificates relating to financial periods ending before December 15, 2008.
Prior to making their next filings, Officers of a non-venture issuer will need to satisfy themselves that they have used a suitable control framework to design their ICFR; that they have identified and assessed risks faced by the issuer in order to determine the scope and necessary complexity of the DC&P and ICFR; and that they have developed controls, policies and procedures (the “components”) that comprise the DC&P and ICFR which, in combination with the issuer’s control environment, appropriately address the risks. The components need to have been placed in operation in order for them to certify DC&P and ICFR design.
Prior to making their next annual filings, Officers of a non-venture issuer will need to conduct an evaluation of whether the DC&P and ICFR designs are operating as intended. The evaluation must be sufficient to identify any material weaknesses. Officers must certify that they have evaluated the effectiveness of the DC&P and ICFR at year end and disclosed their conclusions in the related MD&A.
Finally, Officers are advised to maintain documentary evidence sufficient to provide reasonable support for their certifications of DC&P and ICFR design and evaluation, particularly given the potential for civil liability for continuous disclosure documents containing misrepresentations.