The Canadian Securities Administrators (CSA) have adopted new rules for CEO/CFO certifications of annual and quarterly filings for fiscal periods ending on or after December 15, 2008. The new rules require annual disclosure of management’s assessment of the issuer’s internal control over financial reporting (ICFR) as at year end. These new rules parallel the requirements of Section 404 of the Sarbanes-Oxley Act in the United States, except that no auditor review of ICFR is required. New forms of CEO and CFO certificates have been adopted. For issuers with a calendar fiscal year end, little time remains to complete the required testing of ICFR.
Canadian issuers that comply with U.S. Sarbanes-Oxley Act Section 302 certification requirements on an annual and quarterly basis are exempt from the Canadian certification requirements.
Highlights of the New Requirements
- Evaluation of ICFR – Under new National Instrument 52-109 (the Instrument), the CEO and CFO are required to evaluate ICFR as at the financial year end. The issuer must disclose in its annual MD&A the certifying officers’ conclusions about the effectiveness of ICFR based on that evaluation.
- Reporting of fraud – The CEO and CFO are required to confirm that they have disclosed to the issuer’s auditors and the audit committee of the issuer’s board of directors any fraud involving management or other employees who have a significant role in the issuer’s ICFR.
- No auditor report – As announced by the CSA in March 2006, the Instrument does not require an issuer to have its auditor review or issue any report on its ICFR.
- Limitations on scope of certifications – Certifying officers may limit the scope of their certifications regarding the design of disclosure controls and procedures (DC&P) and ICFR for any proportionately consolidated entity or variable interest entity in which the issuer has an interest or any business acquired by the issuer within 365 days before the issuer’s year end, provided that summary financial information for such entity or business is disclosed in the MD&A.
- Control framework – Issuers must adopt and identify a suitable control framework for assessing ICFR, such as the COCO Framework, the COSO Framework (including the Guidance for Smaller Public Companies) or the Turnbull Guidance.
- Disclosure of any “material weakness” in ICFR – Certifying officers must: (i) certify in each annual or interim certificate that the issuer has disclosed in its MD&A any material weakness in design of ICFR existing at the end of the relevant period; and (ii) certify in each annual certificate that the issuer has disclosed in its annual MD&A any material weakness in the operation of ICFR existing at the end of the financial year.
- Definition of “material weakness” – A “material weakness” means one or more deficiencies in ICFR giving rise to a reasonable possibility that a material misstatement will not be prevented or detected on a timely basis. The definition of “material weakness” under the Instrument is the same as that currently used under U.S. certification requirements.
- Application to Venture Issuers – Venture Issuers (generally, issuers listed on the TSX Venture Exchange) must comply with the Instrument, but are not required to establish or maintain DC&P or ICFR and may omit from their CEO and CFO certificates representations on DC&P and ICFR, so they are not required to conduct any assessment of their ICFR.
Application The Instrument applies to all reporting issuers other than investment funds and certain designated foreign issuers. Issuers which comply, even voluntarily, with certification and ICFR reporting requirements under U.S. securities laws (i.e., provide certifications under Section 302 of the Sarbanes-Oxley Act both on an annual and quarterly basis) are exempt from the Instrument if certain conditions are met.
The new forms of certificate apply to interim and annual filings for periods ending on or after December 15, 2008. Although former Multilateral Instrument 52-109 is repealed effective December 15, 2008, we recommend that CEO and CFO certificates continue to be filed in accordance with the forms currently required under that instrument for interim and annual filings made on or after December 15, 2008 for periods ending prior to December 15, 2008.
A companion policy to the Instrument (the Companion Policy) confirms that representations in the new form of certificate do not extend to prior period comparative financial information which either was not subject to certification or was subject to certificates that did not contain the same representations.
Although Venture Issuers must comply with the Instrument, they are not required to include representations in their certificates concerning DC&P or ICFR. This is consistent with the temporary relief granted by members of the CSA generally in November 2007. Nevertheless, Venture Issuers that omit references to DC&P and ICFR must include a prescribed warning in their CEO and CFO certificates. The CSA recommend that a similar warning be included in the corresponding MD&A, but it is not a requirement. The CSA discourages Venture Issuers from making partial disclosure about their DC&P and ICFR (that is, including some representations, but omitting others).
Changes to the CEO and CFO Certificates and MD&A Disclosure Requirements
Many changes have been made to the CEO and CFO certificates for non-Venture Issuers. Click here for a blackline highlighting the changes.
Changes affecting both the annual and the interim certificates include:
- Reasonable diligence – Each certifying officer must confirm that he or she has exercised reasonable diligence in concluding that to his or her knowledge the annual or interim filings do not contain a misrepresentation and fairly present in all material respects the financial condition, results of operations and cash flows of the issuer.
- Control framework – The control framework used to design ICFR must be identified.
- Material weakness in design of ICFR – Each certifying officer must confirm that the issuer has described each material weakness (if any) in design existing at the end of the interim or annual period in its MD&A for the period, as well as its impact on the issuer’s financial reporting and ICFR and the issuer’s plans and actions already undertaken to remediate the material weakness.
- Scope limitations – If the certifying officers have limited the scope of the design of DC&P and ICFR in the circumstances permitted under the Instrument, each certifying officer must confirm that the issuer has disclosed this limitation in the MD&A being certified and that it has provided in the MD&A summary financial information relating to the entity or business to which the scope limitation applies.
In addition, the following representations were added to the annual certificate:
- Evaluation of ICFR – Each certifying officer has evaluated or supervised the evaluation of the effectiveness of the issuer’s ICFR as of the end of the financial year, and the issuer has disclosed in its annual MD&A:
- the conclusions of the certifying officers about the effectiveness of ICFR based on such evaluation; and
- for each material weakness relating to operation of ICFR existing at the end of the financial year, a description of the material weakness in its annual MD&A and its impact on the issuer’s financial reporting and ICFR, as well as the issuer’s plans and actions already undertaken to remediate the material weakness.
- Fraud disclosure – Based on their most recent evaluation of ICFR, the certifying officers have disclosed to the issuer’s auditors and the audit committee of the issuer’s board of directors any fraud that involves management or other employees who have a significant role in the issuer’s ICFR.
In addition to the new forms of interim and annual certificates for non-Venture Issuers, the Instrument also prescribes special forms of certificate to be used:
- for refiling annual or interim filings;
- in connection with initial certifications following the date the reporting issuer completes an initial public offering or reverse take-over or becomes a non-Venture Issuer;
- by Venture Issuers for their financial statement and MD&A filings; and
- by Venture Issuers which voluntarily file an annual information form after the date the Venture Issuer has filed its annual financial statements and MD&A.
The MD&A requirements have also been amended to require the disclosure contemplated by the Instrument.
Material Weakness Disclosure
Deficiencies in ICFR must only be disclosed in MD&A if they constitute a “material weakness”. The definition of “material weakness” was the subject of controversy in the U.S.; the definition first adopted by the U.S. Public Company Accounting Oversight Board (PCAOB) in its Auditing Standard No. 2 of “more than a remote likelihood that a material misstatement of the annual or interim financial statements will not be prevented or detected” was criticized as being too low a threshold. The U.S. Securities and Exchange Commission (SEC) and the U.S. Public Company Accounting Oversight Board (PCAOB) have since adopted a revised definition. The CSA has adopted the same definition of “material weakness”. A material weakness is defined as “a deficiency, or combination of deficiencies, in ICFR such that there is a reasonable possibility that a material misstatement of the reporting issuer’s annual or interim financial statement will not be prevented or detected on a timely basis”.
The Companion Policy provides guidance on when an identified deficiency or combination of deficiencies constitutes a “material weakness”. Certifying officers generally should consider both qualitative and quantitative factors, including factors affecting: (i) the likelihood of ICFR failing to prevent or detect a material misstatement on a timely basis; and (ii) the magnitude of a misstatement that might result. Issuers should note that the absence of a material error in the financial statements and the fact that no material error was identified during the course of preparing the financial statements does not mean that a material weakness in design did not exist at the time.
In the case of annual disclosure obligations, the certifying officers’ assessment is based on their evaluation as at the end of the financial year. However, the CEO and CFO must also certify that disclosure has been made in the interim MD&A for each material weakness in the design of ICFR existing at the end of each interim period. Since this representation is not limited to the knowledge of the certifying officers, the CEO and CFO should inform themselves each quarter (without conducting a full-scale review) whether any previously unknown material weakness in design of ICFR may have arisen during the quarter.
New Guidance on Certification
Top-down, risk-based approach to DC&P and ICFR design
The Companion Policy encourages issuers to take a top-down, risk-based approach – echoing guidance issued by the SEC and the PCAOB. Certifying officers are encouraged to first focus on risks that could, individually or in combination with others, reasonably result in a material misstatement in the issuer’s annual filings, interim filings or other reports filed or submitted by it under securities legislation, and the vulnerability of the issuer to fraudulent activity that could result in a misstatement in those filings or other reports. They should then design specific controls, policies and procedures that, in combination with the issuer’s control environment, appropriately address those risks. Considerable guidance is provided in the Companion Policy on how to apply a top-down, risk-based approach to DC&P and ICFR certification.
Need for judgment
While encouraging a top-down, risk-based approach to the design of DC&P and ICFR, the Instrument does not prescribe the approach to design that the certifying officers should use, other than requiring use of a suitable control framework. The certifying officers must use judgment in assessing risks for various types and methods of disclosure (for DC&P design) and for identifying significant accounts and disclosures and their relevant assertions (for ICFR design), and for the identification and design of controls, policies and procedures to address them.
The certifying officers must use their reasonable judgment and should apply their knowledge and experience in determining the nature, timing and extent of their evaluation of DC&P and ICFR. Although inquiry and observation alone might be adequate for an evaluation of an individual control with a lower risk, the Companion Policy states that they will not be adequate for the evaluation as a whole.
Evaluation of DC&P and ICFR
The Companion Policy describes various tools that certifying officers may use to support their evaluation of DC&P and ICFR, including:
(a) their daily interaction with the control systems;
(c) interviewing individuals who are involved with the relevant controls;
(d) observation of procedures and processes, including adherence to corporate policies;
(e) reperformance; and
(f) a review of documentation that provides evidence that controls, policies or procedures have been performed.
The Companion Policy states that daily interaction alone could in appropriate circumstances provide an adequate basis for the certifying officers’ evaluation of DC&P or ICFR if the operation of controls, policies and procedures is centralized and involves a limited number of personnel.
If the certifying officers identify a material weakness in the design or operation of ICFR as at the end of the financial period, they cannot conclude that the issuer’s ICFR is effective. Similarly, if the certifying officers identify a weakness in the design or operation of DC&P that is significant as at the end of the financial period, they cannot conclude that the issuer’s DC&P is effective. Because of the overlap between ICFR and DC&P, the Companion Policy states that a material weakness in ICFR will almost always also represent a significant weakness in the DC&P.
Need for documentation
Adequate documentation must support the certification process. The certifying officers should generally maintain documentary evidence sufficient to provide reasonable support for their certification of the design of DC&P and ICFR and their evaluation of DC&P and ICFR.
This documentation should include:
- the key elements of the control environment, including the organizational structure of the issuer, management’s philosophy and operating style, the integrity, ethics, and competence of personnel, external influences that the affect the issuer’s operations and risk management practices and human resources policies and procedures;
- for DC&P design: (a) the processes and procedures that ensure information is brought to the attention of management, including the certifying officers, in a timely manner to enable them to determine if disclosure is required; and (b) a written company disclosure policy and other documents assigning roles, responsibilities and authority relating to disclosure (such as may be contained in a management disclosure committee mandate); and
- for ICFR design: (a) the issuer’s ongoing risk-assessment process and those risks which need to be addressed in the design of ICFR; (b) how significant transactions and classes of transactions are initiated, authorized, recorded and processed; (c) the flow of transactions to identify when and how material misstatements or omissions could occur due to error or fraud; (d) a description of the controls over relevant assertions related to all significant accounts and disclosures in the financial statements; (e) a description of the controls designed to prevent or detect fraud, including who performs the controls and, if applicable, how duties are segregated; (f) a description of the controls over period-end financial reporting processes; (g) a description of the controls over safeguarding of assets; and (h) the certifying officers’ conclusions on whether a material weakness relating to the design of ICFR exists at the end of the period.
Documentation of how the evaluation of DC&P and ICFR was conducted should include a description of: (a) the process the certifying officers used to evaluate DC&P or ICFR, (b) how the certifying officers determined the extent of testing of the components of DC&P or ICFR, and (c) the evaluation tools used by the certifying officers and the results of such evaluation. It should also include the certifying officers’ conclusions about the operating effectiveness of DC&P and ICFR and whether a material weakness relating to the operation of ICFR existed as at the end of the period.
The Companion Policy clarifies that the “reasonable assurance” which DC&P and ICFR should provide is not a guarantee that errors or intentional misstatements resulting from fraud will not occur.
Role of Directors
The MD&A is a core document under statutory civil liability provisions in a number of Canadian jurisdictions and, accordingly, directors are potentially liable for a misrepresentation in the MD&A, unless a defence is available. One defence is that the director conducted or caused to be conducted a reasonable investigation. To support that defence and compliance with the Instrument, there should be documentary evidence to support management’s conclusions regarding DC&P and ICFR included in the MD&A, the review of those conclusions by the directors and any additional procedures undertaken in connection with the review.
At least quarterly, the Audit Committee should review the reasonableness of management’s conclusions as to whether any identified deficiency or deficiencies in ICFR constitute singly or collectively a material weakness in ICFR design. For the annual financial results, the whole board (not just the Audit Committee) should assess whether any identified deficiency or deficiencies in ICFR constitute singly or collectively a material weakness in design or effectiveness as of the end of the financial year. Each director should make sure that he or she is comfortable with the disclosure on the effectiveness of DC&P and ICFR which is required to be made in the annual MD&A.
Although the Companion Policy states that an effective board should be actively engaged in shaping and monitoring ICFR, we believe that the board’s involvement must be understood in the context of the board’s oversight responsibility. Active engagement does not mean the board must duplicate work undertaken by or under the supervision of the CEO and CFO. However, the CSA notes that active involvement of the directors with respect to ICFR may act as a compensating control or be a mitigating factor with respect to a deficiency in ICFR.
The CSA encourages written board mandates to expressly make reference to the board’s oversight responsibility for internal control and management information systems.
Implications for Non-Public Entities
While the obligation to provide an assessment of ICFR applies only to Canadian reporting issuers which are not Venture Issuers, there will be significant implications for non-public entities that have certain relationships with reporting issuers required to assess their ICFR.
Subsidiaries. An issuer required to assess its ICFR must review ICFR of any subsidiaries which are identified as significant in the course of the issuer’s ICFR risk assessment. The parent is not permitted to limit management’s assessment of ICFR or the CEO’s and CFO’s certificates due to an inability to conduct an appropriate review of ICFR of a subsidiary. A parent should ensure it has sufficient access to the necessary records, personnel and other information sources to make an appropriate assessment of each subsidiary’s ICFR as the lack of a review of a significant subsidiary’s ICFR may, in some cases, constitute a material weakness in the parent’s ICFR.
Variable Interest Entities and Proportionately Consolidated Entities. Although it is permissible for an issuer to include a scope limitation for variable interest entities and proportionately consolidated entities in which the issuer has an interest, where it does so the issuer is required to provide meaningful financial information about these underlying entities. Further, a scope limitation in the parent’s ICFR assessment regarding these entities may be perceived negatively by the parent’s investors or analysts. On the other hand, if the parent establishes an ICFR assessment process for these entities (assuming it has the ability to obtain access to the necessary information about them), the parent need not disclose financial information about those entities that might be competitively sensitive.
Outsourcing. Service organizations need to consider what degree of comfort they can provide to their public company clients about ICFR, and how frequently they can provide it, to enable those clients to meet their ICFR certification obligations regarding assessment of those components of their ICFR which are outsourced. The Companion Policy notes that the inability to assess a service organization’s controls, policies and procedures may in some circumstances represent a material weakness in the issuer’s ICFR.
- Key Differences from U.S. ICFR Evaluation: No auditor report on ICFR in Canada – Under U.S. securities laws, the issuer must include in its annual report a report from its auditor regarding the auditor’s own independent assessment of the effectiveness of ICFR. There is no requirement under Canadian securities laws for the issuer’s auditor to conduct any review of ICFR or provide any assessment, attestation or report regarding the issuer’s ICFR or management’s review of ICFR.
- Obligation to disclose material weaknesses in design of ICFR on a quarterly basis – Under both Canadian and U.S. certification requirements, any change in ICFR that materially affects ICFR must be disclosed on a quarterly basis. However, Canadian certification requirements also require that the CEO and CFO certify that they have caused the issuer to disclose any weakness in the design of ICFR on a quarterly basis. In the U.S., a weakness in the design of ICFR need only be disclosed on an annual basis, if it still exists as at the end of the financial year.
- Scope limitations on CEO and CFO certification – The Canadian rules permit the CEO and CFO to limit the scope of their certifications regarding ICFR in the case of variable interest entities, proportionately consolidated entities and any entity acquired within 365 days before the issuer’s year end. No similar scope limitations are permitted under U.S. securities laws.
- Management’s assessment is included in the MD&A – Under U.S. securities laws, the issuer must include in its annual report a separate report from management on its assessment of the effectiveness of ICFR. In Canada, management’s assessment is disclosed in the issuer’s MD&A.
Exemption for Issuers Complying with Sarbanes-Oxley Act Requirements
A reporting issuer is exempt from the annual and quarterly certification requirements under the Instrument if: (a) the issuer complies with the annual report certification requirements prescribed under Section 302 and the internal control reporting requirements under Section 404 of the Sarbanes-Oxley Act; and (b) all documents filed with or furnished to the SEC under those provisions are filed on SEDAR as soon as practical after they have been submitted to the SEC. A reporting issuer relying on this exemption will have to ensure that its annual and quarterly MD&A contain all of the disclosure necessary to support the statements being made in the Section 302 Sarbanes-Oxley Act certifications made by its CEO and CFO, which will require that the MD&A disclose any change in ICFR during the period that has materially affected, or is reasonably likely to materially affect, the issuer’s ICFR. This exemption is not available if the issuer files financial information in Canada which differs from the financial information filed in the United States.