The exact form of certification of the effectiveness of an issuer's internal controls over financial reporting ("Internal Controls") has been unsettled since the Canadian Securities Administrators ("CSA") first introduced the idea several years ago in response to the certification requirements in the United States Sarbanes-Oxley Act.
The latest proposal to amend Multilateral Instrument 52-109, which governs certifications of disclosure, was published for comment on March 30, 2007. Given the history of Multilateral Instrument 52-109 it is likely that there will be further changes to the proposed instrument (the "Revised Instrument").
However, on the assumption that the Revised Instrument will not change materially and that it will still be implemented when projected (June 30, 2008), this note sets out some of the principal elements of the Revised Instrument.
If implemented, the Revised Instrument will apply to all reporting issuers other than investment funds (there are exemptions for certain issuers, such as those who comply with U.S. law) and require an evaluation of the effectiveness of Internal Controls. Accordingly, venture issuers (which under one of the previous proposals would have been exempt from this requirement) will need to evaluate the effectiveness of their Internal Controls and provide the same annual certification as all other reporting issuers.
The Revised Instrument will apply to financial years beginning on or after March 31, 2005. To give issuers sufficient time to complete the first evaluation of the effectiveness of their Internal Controls, the CSA has proposed an effective date for the Revised Instrument of June 30, 2008.
No transition period will apply. All issuers will be required to comply with the full annual certification for the first financial year ending after June 29, 2008 and the full interim certification for the first interim period ending after June 29, 2008, as follows:
Two significant provisions of the Revised Instrument are the requirement that issuers disclose, in their management's discussion and analysis ("MD&A"), reportable deficiencies in the design or operation of their Internal Controls and the requirement that the certifying officers confirm they have disclosed to the issuer's auditors, board and audit committee any instances of fraud discovered in their evaluation of Internal Controls.
A "reportable deficiency" is a deficiency in the design or operation of one or more controls that would cause a reasonable person to doubt that the design or operation of Internal Controls provides reasonable assurance as to the reliability of financial reporting or the preparation of financial statements for external purposes in accordance with the issuer's GAAP.
New Form of Certifications
Currently, in annual and interim certifications the certifying officers of an issuer must certify that the issuer's applicable filings do not contain misrepresentations, that the issuer's financial statements and financial information in the applicable filings fairly present the financial condition of the issuer, that the officers are responsible for the design of disclosure controls and procedures ("Disclosure Controls") and Internal Controls, and that the issuer has disclosed material changes in its Internal Controls in its MD&A. In addition, the annual certification must include a statement that the officers have evaluated the effectiveness of Disclosure Controls and their conclusions are disclosed in the issuer's MD&A.
The Revised Instrument will expand the certification as to design of Disclosure Controls to require a statement that Disclosure Controls have been designed to provide reasonable assurance that information required to be disclosed by the issuer under securities legislation is reported within the required time periods.
In addition, the Revised Instrument will expand annual certifications to require certifying officers to state that:
- they have evaluated, or supervised the evaluation of, the effectiveness of the issuer's Internal Controls, and the issuer's annual MD&A discloses their conclusions, describes the evaluation process undertaken, and describes any reportable deficiency in the operation of Internal Controls and the plans to remediate such deficiency;
- the annual MD&A identifies the control framework used to design the Internal Controls, or states that no control framework was used;
- the annual MD&A describes any reportable deficiency in the design of Internal Controls, remediation plans and anticipated completion date of the remediation plan; and
- they have disclosed to the issuer's auditors, the board and audit committee any fraud that involves management or other employees who have a significant role in the Internal Controls.
Finally, the Revised Instrument will expand interim certifications to require the certifying officers to state that:
- the interim MD&A identifies the control framework used to design the Internal Controls, or states that no control framework was used; and
- the interim MD&A describes any reportable deficiency in the design of Internal Controls, remediation plans and anticipated completion date of the remediation plan.
An issuer will be permitted to limit the scope of the design of Disclosure Controls and Internal Controls to exclude controls and procedures carried out by certain entities in which it has an interest or businesses acquired by it less than 90 days before the applicable reporting period.
A venture issuer that cannot reasonably remediate a reportable deficiency in the design of Internal Controls will be permitted to rely on an exception, provided it makes certain additional disclosure in its MD&A.
The certifications must use the prescribed language set out in the applicable forms. Any variation of that language will be deemed to be a breach of the Revised Instrument.
This is only a brief summary of a few of the principal provisions of the Revised Instrument. Issuers should read the Revised Instrument and the proposed Companion Policy in their entirety to determine any impact that the changes may have.