Canada: CSA Proposes New Rules For Internal Control Reporting

On February 4, 2005, members of the Canadian Securities Administrators (the CSA), other than British Columbia, published for a 120-day comment period proposed Multilateral Instrument 52-111 Reporting on Internal Control over Financial Reporting (the Proposed Internal Control Instrument) and a related companion policy (collectively, the Proposed Internal Control Materials). The CSA also published an instrument to revise Multilateral Instrument 52-109 Certification of Disclosure in Issuers' Annual and Interim Filings (the Revised Certification Instrument), the certification forms and the related companion policy (collectively, the Revised Certification Material).

The objective of the proposals set out in the Proposed Internal Control Materials and the Revised Certification Materials is to improve the quality and reliability of financial and other continuous disclosure reporting by reporting issuers. The CSA believe that this in turn will help to maintain and enhance investor confidence in the integrity of Canadian capital markets.

The Proposed Internal Control Materials and the Revised Certification Materials will also lend support to various other initiatives developed by the CSA by requiring issuers to develop appropriate systems that provide reasonable assurance regarding the reliability of disclosure made by issuers.

The Proposed Internal Control Instrument will impose the following requirements in addition to the requirements of the Revised Certification Materials:

  • an evaluation of the effectiveness of internal control over financial reporting against a suitable control framework;
  • maintenance of evidence providing reasonable support for the evaluation of the effectiveness of internal control over financial reporting;
  • reporting of material weaknesses in internal control over financial reporting; and
  • an audit of internal control over financial reporting.

These requirements are similar to those under the SOX 404 Rules adopted by the SEC in connection with the U.S. Sarbanes-Oxley law.

American experience to date with the implementation of the SOX 404 Rules has proven very expensive. Issuers have had to allocate substantial resources, both monetary and personnel, to implement the required procedures. New software had to be developed or purchased, andissuers were also faced with hefty hikes in audit fees and other expenses, including service or consulting fees for implementing the required procedures.

The Revised Certification Instrument will harmonize the current certification requirements with those imposed by the SOX 302 Rules for all reporting issuers that are subject to the Proposed Internal Control Instrument.

Scope of Application

The Proposed Internal Control Instrument applies to all reporting issuers other than investment funds and venture issuers. In contrast, the Revised Certification Instrument applies to all reporting issuers other than investment funds. As a result, venture issuers are subject to the requirements of the Revised Certification Instrument, but are not required to comply with the Proposed Internal Control Instrument.

Effective Dates and Transition Periods

The provisions regarding internal control reports and internal control audit reports will be phased in over four years, starting with financial years ending on or after June 30, 2006. The implementation dates are based on the market capitalisation of issuers calculated on the basis of a twenty-trading-day weighted average as of June 30, 2005 (with an exception for an issuer who becomes a reporting issuer or ceases to be a venture issuer after that date).

The table below sets out the implementation dates, which are being phased in to provide issuers time to prepare for compliance with the requirements and to ensure that adequate resources are available.

Issuer’s Market

First Year-end to
which reporting
requirements apply

$500,000,000 or more

June 30, 2006

$250,000,000 or more
but less than $500,000,000

June 30, 2007

$75,000,000 or more
but less than $250,000,000

June 30, 2008

less than $75,000,000

June 30, 2009

Management's Assessment of Internal Control Effectiveness

The Proposed Internal Control Instrument requires management of every issuer, with the participation of the certifying officers, to evaluate the effectiveness of the issuer's internal control over financial reporting as of the end of the issuer's financial year.

Definition of "Management"

The Proposed Internal Control Instrument intentionally does not define "management." The CSA believe that it should be left to the discretion of the certifying officers, acting reasonably, to determine the other members of management for the purposes of the Proposed Internal Control Instrument.

Scope of Evaluation

The Proposed Internal Control Instrument does not prescribe the scope of the evaluation of internal control over financial reporting. The CSA believe that it should be left to the judgment of management, acting reasonably, and that this will allow management to tailor its evaluation to the particular circumstances of the issuer, taking into account the issuer's size, nature of business and complexity of operations. The Proposed Internal Control Policy, however, clarifies the CSA’s expectations of the scope of the evaluation if the issuer has certain interests in an underlying entity.

The controls subject to such assessment include:

  • controls over initiating, authorizing, recording, processing and reporting significant accounts and disclosures and related assertions included in the financial statements;
  • controls related to the initiation and processing of non-routine and non-systematic transactions, such as accounts involving judgments and estimates;
  • controls related to the selection and application of appropriate accounting policies that are in accordance with the issuer's GAAP;
  • anti-fraud programs and controls;
  • controls, including general information-technology controls, on which other controls are dependent;
  • controls over the period-end financial reporting process; and
  • controls that have a pervasive impact, such as those within the control environment, including the "tone at the top," assignment of authority and responsibility, consistent policies and procedures and issuer-wide programs that apply to all locations and business units.

The assessment of an issuer's internal control over financial reporting should be based upon procedures sufficient to evaluate its design and to test its operating effectiveness. The nature of an issuer's testing activities will largely depend on the circumstances of the issuer and the significance of a control. The proposed companion policy provides that inquiry alone, however, will not generally provide an adequate basis for management's assessment.

The Proposed Internal Control Instrument does not require interim evaluations of internal control over financial reporting. The CSA recognize that some controls operate continuously while others operate only at certain times, such as the end of a financial year. The management of an issuer should perform evaluations of the design and operation of the issuer's internal control over financial reporting over a period of time that is adequate for it to determine whether, as of the end of the issuer's financial year, the design and operation of the issuer's internal controls over financial reporting are effective.

Suitable Control Framework

The evaluation must be based upon a suitable control framework. The Proposed Internal Control Instrument does not prescribe the control framework that must be used. Instead it requires management to use a "suitable" control framework established by a body or group that has followed an open and transparent process, including giving the public an opportunity to offer comments, when developing the control framework.

The Proposed Internal Control Policy provides additional guidance on what constitutes a "suitable control framework." In particular, it confirms that the following control frameworks satisfy the criteria of a suitable control framework:

  • the Risk Management and Governance/Guidance on Control published by The Canadian Institute of Chartered Accountants' Criteria of Control Board (CoCo);
  • the Internal Control Integrated Framework published by The Committee of Sponsoring Organizations of the Treadway Commission (COSO); and
  • the Turnbull Report published by The Institute of Chartered Accountants in England and Wales.


The Proposed Internal Control Instrument requires every issuer to maintain evidence that provides reasonable support for management's assessment of the effectiveness of the issuer's internal control over financial reporting. The evidence must be maintained in a manner that ensures the trustworthiness and readability of the information recorded and for the same period that the accounting records for the financial year to which the evidence relates are maintained in accordance with the Income Tax Act (Canada). The application of this requirement to issuers not subject to the Income Tax Act (Canada) is not clear.

The Proposed Internal Control Instrument does not prescribe the content of the evidence, as the CSA believe that it may vary depending on the issuer's size, the nature of its business and the complexity of its operations. The Proposed Internal Control Policy indicates that the evidence should include information about the design of internal controls over financial reporting and the testing processes used by management, including:

  • the design of controls over relevant assertions related to all significant accounts and disclosures in the financial statements;
  • information about how significant transactions are initiated, authorized, recorded, processed and reported;
  • sufficient information about the flow of transactions to identify the points at which material misstatements due to error or fraud could occur;
  • a listing of controls designed to prevent or detect fraud, including who performs the controls and related segregation of duties;
  • a listing of controls over period-end financial reporting processes;
  • a listing of controls over safeguarding of assets; and
  • results of management's testing and evaluation.

Internal Control Report

The proposed Internal Control Instrument also requires every issuer to file a report from management that describes management's assessment of the effectiveness of the issuer's internal control over financial reporting (an internal control report). An internal control report must be filed separately, but concurrently, with the issuer's annual financial statements and annual MD&A.

An internal control report must include:

  • a statement of management's responsibility for establishing and maintaining adequate internal control over financial reporting for the issuer;
  • a statement identifying the control framework used by management to evaluate the effectiveness of the issuer's internal control over financial reporting;
  • management's assessment of the effectiveness of the issuer's internal control over financial reporting as of the end of the issuer's financial year, including a statement as to whether the internal control over financial reporting is effective;
  • disclosure of any material weaknesses in the issuer's internal control over financial reporting identified by management;
  • a statement that the auditors that audited the issuer's annual financial statements have issued an internal control audit report;
  • disclosure of any limitations in management's assessment of the effectiveness of the issuer's internal control over financial reporting extending into a joint venture or a variable interest entity (VIE) in which the issuer has a material interest; and
  • disclosure of any limitations in management's assessment of the effectiveness of the issuer's internal control over financial reporting extending into a business that was acquired by the issuer during the financial year.

The internal control report must be approved by the issuer's board of directors before it is filed.

Internal Control Audit Report

The Proposed Internal Control Instrument requires every issuer to file a report in which the issuer's auditor expresses an opinion, or states that an opinion cannot be expressed, concerning management's assessment of the effectiveness of the issuer's internal control over financial reporting (an internal control audit report). The internal control audit report must be filed together with the internal control report.

An internal control audit report must:

  • be prepared in accordance with the standard (the CICA Standard) for an audit of internal control over financial reporting performed in conjunction with an audit of financial statements established by the Auditing and Assurance Standards Board of The Canadian Institute of Chartered Accountants (the CICA);
  • be dated the same date as the audit report on the annual financial statements;
  • be signed by the auditor; and
  • identify the internal control report in respect of which the internal control audit report has been prepared.

The proposed CICA Standard is substantially the same as the Public Company Accounting Oversight Boards’ (the PCAOB) auditing standard number No. 2, an Audit of Internal Control Over Financial Reporting Performed in Conjunction with an Audit of Financial Statements (the PCAOB Standard). Auditors of foreign issuers may perform their audit and prepare their audit report in accordance with the PCAOB Standard. A foreign issuer is defined to have the meaning ascribed to it in National Instrument 52-107 — Acceptable Accounting Principles, Auditing Standards and Reporting Currency.

Auditor Independence

Under the rules of professional conduct of the Canadian provincial and territorial institutes of Chartered Accountants, auditors are prohibited from providing certain non-audit services to issuers above a specified size threshold. Among other things, this permits an auditor expressing an opinion on financial statements of an issuer to provide certain non-audit services such as accounting, bookkeeping and internal audit so long as any resulting "self-review threat" is reduced to an acceptable level. The Proposed Internal Control Policy confirms that, if such services are provided to an issuer, the issuer's audit committee and the auditor should evaluate carefully whether the auditor's independence will be impaired for purposes of signing an internal control audit report.

Summary Of Changes To Current Certification Materials

The current certification materials continue to be in force in all jurisdictions, except British Columbia and Québec. If the Revised Certification Materials are adopted, they will replace the current certification materials.

There are two primary differences between the current certification forms and the proposed certification forms. First, the proposed certification form includes an annual representation that an issuer's certifying officers have disclosed, based on their most recent evaluation of internal control over financial reporting, to the issuer's auditors and audit committee:

  • all significant deficiencies and material weaknesses in the design or operation of internal control over financial reporting that are reasonably likely to adversely affect the issuer's ability to record, process, summarize and report financial information; and
  • any fraud, whether or not material, that involves management or other employees who have a significant role in the issuer's internal control over financial reporting.

"Significant deficiency," "material weakness" and "audit committee" are defined in the Revised Certification Instrument. This representation is contained in the form of a certificate required under the SOX 302 Rules and is based upon an evaluation of internal control over financial reporting, which is a requirement of the Proposed Internal Control Instrument.

Second, the proposed certification form contains a representation, if applicable, that the issuer is not required to comply with the requirements of the Proposed Internal Control Instrument.

Cost-Benefit Analysis

The CSA commissioned a cost-benefit analysis of the proposed rules. While acknowledging the difficulties of the analysis, Charles River Associates concluded that, based on mid-range estimates, the measured costs exceeded the measured benefits for all categories of issuers. They were only 20% higher in the case of issuers with assets over $5 billion, versus over 350% higher in the case of issuers with under $50 million in assets.

In November 2004, AMR Research published results based on a study conducted by it in which over 200 business and IT leaders were surveyed on SOX and broad compliance spending priorities. AMR Research estimated that companies will spend US$5.8 billion on meeting SOX requirements in 2005. AMR Research also reported that despite initial thoughts that SOX spending would be a one-time expenditure, 36% of the companies plan to increase spending, 52% will maintain current levels and 12% will decrease SOX spending.

Lessons learned from the US Experience

One is hopeful that Canadian companies can benefit from the experience of their American counterparts and their auditors in implementing SOX 404 Rules. More familiarity with internal controls, together with an increasing involvement of external audit firms in internal control considerations and requirements, have led to a clearer understanding of how companies must demonstrate compliance with the reporting rules. The following are some of the lessons learned when looking at the efforts of American companies to comply with the requirements of SOX 404 Rules

  • Company ownership – there must be a strong, accountable internal owner of the implementation of internal controls with the necessary resources and sponsorship from top management and the audit committee. We have learned that successful implementation requires that companies be focused on both the short term and the long term funding of the effort, have appropriate budget and dedicated resources to prioritize team efforts and oversee the program with suitable accountability.
  • Coordination – clearly, management of an issuer must take responsibility for developing its own approach to performing an evaluation of internal control over financial reporting. Several companies used a combination of internal resources and outside service providers. For obvious reasons, this approach should be a coordinated effort between the company, the outside service providers and the independent auditors. Coordination between the various constituents of the implementation process is critical. In that respect, a steering committee including management, internal audit functions, members of the audit committee, IT executives and the external auditors is one way of fostering such coordination.
  • Creating Value – The implementation of internal control over financial reporting can be seen as a mere compliance exercise. However, companies can look for ways to gain value from implementing such processes. Just like with running, one must learn how to walk before one can run. In the context of implementing internal controls over financial reporting, it is important to insure the fundamentals are in place for year one compliance before a company can focus on the long-term benefits. It is abundantly clear that the level and magnitude of efforts required by American companies for year one implementation of the reporting controls over financial control was much greater than originally expected. Proper focus on the first year of compliance is therefore required.
  • Ongoing Communication – American company experience shows that, initially, internal communications regarding the implementation of SOX 404 Rules primarily happen on a quarterly basis and as companies get closer to their compliance deadline, discussions became more frequent, typically monthly. In the early stages of implementation, these discussions were more focused on macro issues. As companies moved further into the testing phase, these discussions moved to more open dialogue on implementation issues and the timetable for performing remediation when control deficiencies were identified. Past experience shows that there is a need for continuous and consistent communication. Once again a steering committee can foster such environments.
  • Using the Right Resources – Specialized resources are particularly important. Many companies found that the skills necessary to document and test controls resided primarily within their internal audit group. A concrete benefit of extensive involvement by members of the internal audit group is the potential reduction in work required to be conducted by other internal resources as well as by outside service providers. However, a majority of companies have also had to add additional resources to help them stay on schedule with the documentation and testing processes. Accordingly, the use of a combination of internal resources and outside service providers will most likely ultimately be the most common approach used.
  • Next Year and Beyond – Ernst & Young recently reported that companies implementing SOX 404 Rules are enjoying benefits as a result of implementing the rules. According to Ernst & Young, more than 60% of the companies surveyed reported enhanced financial processes, 40% have seen their control expanding to other parts of the business and 20% suggested that increased consistency and standardization of internal processes represented another inherent gain. These benefits may increase in the years following implementation.

Issuers will need to focus on several issues to insure continued compliance and to maximize other potential benefits from the implementation of these processes. For example, will reporting over internal controls be seen as a compliance exercise or as a step towards enterprise-wide risk management? Just as initial compliance will be a significant management responsibility, so will ongoing compliance. How will the leadership team be structured and how will the process be integrated with other management functions? While there will be a significant decrease in the resources and effort required in later years compared to the first year of implementation, how will issuers document new processes, applications and acquisitions, update existing documentation and perform testing or assessment in the future?

Experience shows that there are no right or wrong answers, but that every issuer must assess its situation individually. Each issuer’s needs will be different and the path to compliance will, as a result, be different. Issuers should decide where they are headed and develop a multi-year plan to get there. Obviously, the extent of the work that will be required should not be underestimated; in fact, considerable thought must be given to finding the best way to leverage existing resources, and to learn from the experience of American companies and their advisors.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on

Click to Login as an existing user or Register so you can print this article.

In association with
Related Video
Up-coming Events Search
Font Size:
Mondaq on Twitter
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
Email Address
Company Name
Confirm Password
Mondaq Topics -- Select your Interests
 Law Performance
 Law Practice
 Media & IT
 Real Estate
 Wealth Mgt
Asia Pacific
European Union
Latin America
Middle East
United States
Worldwide Updates
Check to state you have read and
agree to our Terms and Conditions

Terms & Conditions and Privacy Statement (the Website) is owned and managed by Mondaq Ltd and as a user you are granted a non-exclusive, revocable license to access the Website under its terms and conditions of use. Your use of the Website constitutes your agreement to the following terms and conditions of use. Mondaq Ltd may terminate your use of the Website if you are in breach of these terms and conditions or if Mondaq Ltd decides to terminate your license of use for whatever reason.

Use of

You may use the Website but are required to register as a user if you wish to read the full text of the content and articles available (the Content). You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these terms & conditions or with the prior written consent of Mondaq Ltd. You may not use electronic or other means to extract details or information about’s content, users or contributors in order to offer them any services or products which compete directly or indirectly with Mondaq Ltd’s services and products.


Mondaq Ltd and/or its respective suppliers make no representations about the suitability of the information contained in the documents and related graphics published on this server for any purpose. All such documents and related graphics are provided "as is" without warranty of any kind. Mondaq Ltd and/or its respective suppliers hereby disclaim all warranties and conditions with regard to this information, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Mondaq Ltd and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use or performance of information available from this server.

The documents and related graphics published on this server could include technical inaccuracies or typographical errors. Changes are periodically added to the information herein. Mondaq Ltd and/or its respective suppliers may make improvements and/or changes in the product(s) and/or the program(s) described herein at any time.


Mondaq Ltd requires you to register and provide information that personally identifies you, including what sort of information you are interested in, for three primary purposes:

  • To allow you to personalize the Mondaq websites you are visiting.
  • To enable features such as password reminder, newsletter alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our information providers who provide information free for your use.

Mondaq (and its affiliate sites) do not sell or provide your details to third parties other than information providers. The reason we provide our information providers with this information is so that they can measure the response their articles are receiving and provide you with information about their products and services.

If you do not want us to provide your name and email address you may opt out by clicking here .

If you do not wish to receive any future announcements of products and services offered by Mondaq by clicking here .

Information Collection and Use

We require site users to register with Mondaq (and its affiliate sites) to view the free information on the site. We also collect information from our users at several different points on the websites: this is so that we can customise the sites according to individual usage, provide 'session-aware' functionality, and ensure that content is acquired and developed appropriately. This gives us an overall picture of our user profiles, which in turn shows to our Editorial Contributors the type of person they are reaching by posting articles on Mondaq (and its affiliate sites) – meaning more free content for registered users.

We are only able to provide the material on the Mondaq (and its affiliate sites) site free to site visitors because we can pass on information about the pages that users are viewing and the personal information users provide to us (e.g. email addresses) to reputable contributing firms such as law firms who author those pages. We do not sell or rent information to anyone else other than the authors of those pages, who may change from time to time. Should you wish us not to disclose your details to any of these parties, please tick the box above or tick the box marked "Opt out of Registration Information Disclosure" on the Your Profile page. We and our author organisations may only contact you via email or other means if you allow us to do so. Users can opt out of contact when they register on the site, or send an email to with “no disclosure” in the subject heading

Mondaq News Alerts

In order to receive Mondaq News Alerts, users have to complete a separate registration form. This is a personalised service where users choose regions and topics of interest and we send it only to those users who have requested it. Users can stop receiving these Alerts by going to the Mondaq News Alerts page and deselecting all interest areas. In the same way users can amend their personal preferences to add or remove subject areas.


A cookie is a small text file written to a user’s hard drive that contains an identifying user number. The cookies do not contain any personal information about users. We use the cookie so users do not have to log in every time they use the service and the cookie will automatically expire if you do not visit the Mondaq website (or its affiliate sites) for 12 months. We also use the cookie to personalise a user's experience of the site (for example to show information specific to a user's region). As the Mondaq sites are fully personalised and cookies are essential to its core technology the site will function unpredictably with browsers that do not support cookies - or where cookies are disabled (in these circumstances we advise you to attempt to locate the information you require elsewhere on the web). However if you are concerned about the presence of a Mondaq cookie on your machine you can also choose to expire the cookie immediately (remove it) by selecting the 'Log Off' menu option as the last thing you do when you use the site.

Some of our business partners may use cookies on our site (for example, advertisers). However, we have no access to or control over these cookies and we are not aware of any at present that do so.

Log Files

We use IP addresses to analyse trends, administer the site, track movement, and gather broad demographic information for aggregate use. IP addresses are not linked to personally identifiable information.


This web site contains links to other sites. Please be aware that Mondaq (or its affiliate sites) are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of these third party sites. This privacy statement applies solely to information collected by this Web site.

Surveys & Contests

From time-to-time our site requests information from users via surveys or contests. Participation in these surveys or contests is completely voluntary and the user therefore has a choice whether or not to disclose any information requested. Information requested may include contact information (such as name and delivery address), and demographic information (such as postcode, age level). Contact information will be used to notify the winners and award prizes. Survey information will be used for purposes of monitoring or improving the functionality of the site.


If a user elects to use our referral service for informing a friend about our site, we ask them for the friend’s name and email address. Mondaq stores this information and may contact the friend to invite them to register with Mondaq, but they will not be contacted more than once. The friend may contact Mondaq to request the removal of this information from our database.


This website takes every reasonable precaution to protect our users’ information. When users submit sensitive information via the website, your information is protected using firewalls and other security technology. If you have any questions about the security at our website, you can send an email to

Correcting/Updating Personal Information

If a user’s personally identifiable information changes (such as postcode), or if a user no longer desires our service, we will endeavour to provide a way to correct, update or remove that user’s personal data provided to us. This can usually be done at the “Your Profile” page or by sending an email to

Notification of Changes

If we decide to change our Terms & Conditions or Privacy Policy, we will post those changes on our site so our users are always aware of what information we collect, how we use it, and under what circumstances, if any, we disclose it. If at any point we decide to use personally identifiable information in a manner different from that stated at the time it was collected, we will notify users by way of an email. Users will have a choice as to whether or not we use their information in this different manner. We will use information in accordance with the privacy policy under which the information was collected.

How to contact Mondaq

You can contact us with comments or queries at

If for some reason you believe Mondaq Ltd. has not adhered to these principles, please notify us by e-mail at and we will use commercially reasonable efforts to determine and correct the problem promptly.