The Current Status Of CFO And CEO Certifications In Canada

For most Canadian public issuers, certification of disclosure controls and internal control over financial reporting is now required

Multilateral Instrument MI 52-109 Certification of Disclosure of Issuers’ Annual and Interim Filings (Certification Rule) got off to a bumpy start in 2003. Being subject to a number of amendments, as well as a repeal and restatement proposal, it is not difficult to understand why there is still confusion about what is required to be certified.

Previous transition period exemptions having expired, issuers subject to the Certification Rule are now required to file certificates in respect of annual filings for the year ended December 31, 2006 (which applies to most Canadian public issuers), certifying the following in respect of annual filings, disclosure controls and internal controls:

The CEO and CFO must certify that the annual filings (which means the AIF, annual financial statements and annual MD&A, and anything incorporated by reference into the AIF):

• have been reviewed,
• based on their knowledge, do not contain any untrue statement of a material fact or omit to state a material fact required to be stated or that is necessary to make a statement not misleading under the circumstances, and
• based on their knowledge, together with other financial information included in the annual filings, fairly present in all material respects the financial condition, results of operations and cash flows of the issuer.

The CEO and CFO must certify that they:

• are responsible for establishing and maintaining disclosure controls and procedures,
• have designed such disclosure controls and procedures or caused them to be designed to provide reasonable assurance that material information relating to the issuer, on a consolidated basis, is made known to the certifying officers and others, particularly during the period that annual filings are being prepared, and
• have evaluated the effectiveness of the issuer’s disclosure controls and procedures as of the end of the relevant period and have caused the issuer to disclose in the annual MD&A their conclusions about such effectiveness.

The CEO and CFO must certify that they:

• are responsible for establishing and maintaining internal control over financial reporting,
• have designed such internal control over financial reporting or caused it to be designed to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with the issuer’s GAAP, and
• have caused the issuer to disclose in the annual MD&A any change in the issuer’s internal control over financial reporting that occurred during the issuer’s most recent interim period that has materially affected, or is reasonably likely to materially affect, the issuer’s internal control over financial reporting.

Similar certifications are also required for all interim periods ending after the issuer’s first year-end following June 30, 2006, the only significant difference being that interim certificates relate to interim financial statements and interim MD&A and are not required to include a certification regarding the evaluation of the effectiveness of an issuer’s disclosure controls and procedures (nor the corresponding disclosure in the interim MD&A, as discussed below, although disclosure of any change in the issuer’s internal control over financial reporting from the most recent interim period is required).

In compliance with the certifications, corresponding disclosure regarding the effectiveness of disclosure controls and procedures and any changes in internal control over financial reporting must also be included in the issuer’s MD&A. Specifically, annual MD&A must include disclosure relating to:

• the certifying officers’ conclusions about the effectiveness of the disclosure controls and procedures as of the end of the period covered by the annual filings based on such evaluation, and
• any change in the issuer’s internal control over financial reporting that occurred during the issuer’s most recent interim period that has materially affected, or is reasonably likely to materially affect, the issuer’s internal control over financial reporting (this disclosure relates to changes from the most recent interim period, i.e. during the fourth quarter, even though it is required to be disclosed in the annual MD&A).

Interim MD&A must include disclosure relating to any change in the issuer’s internal control over financial reporting that occurred during the issuer’s most recent interim period that has materially affected, or is reasonably likely to materially affect, the issuer’s internal control over financial reporting.

The CSA noted in CSA Staff Notice 52-315 Certification Compliance Review (published September 22, 2006) that approximately 28% of issuers surveyed failed to include the disclosure of the certifying officers’ conclusions about the effectiveness of the disclosure controls and procedures in their annual MD&A. In the CSA’s opinion, this "widespread non-compliance with such a clear and basic requirement shows that many issuers are not paying adequate attention to their disclosure obligations" and raised particular concerns considering that, in most cases, the certifying officers specifically represented in their certificates that they had caused the issuer to include this disclosure in the annual MD&A. CSA Staff Notice 52-315 also reminds issuers of the following:

• certificates should be dated the date they are filed, and no earlier than the date of the relevant annual or interim filings that are being certified, and
• if an annual or interim filing is re-filed, or filed after the original certificates and related disclosure documents were filed (for example, where a venture issuer voluntarily files an AIF after its annual financial statements have been filed or where an error in a previously filed document requires it to be re-filed), the issuer must also re-file new certificates (dated the date they are re-filed and no earlier than the date of the new filings), separately but concurrently with such filing.

By way of clarification of the Certification Rule, on September 29, 2006, the CSA issued CSA Staff Notice 52-316 - Certification of Design of Internal Control Over Financial Reporting. This notice sets out the CSA’s view on the ability of certifying officers to certify as to the design of internal control over financial reporting where they have identified a weakness in the design. In the notice the CSA acknowledge that there are certain circumstances in which a certifying officer may be able to provide the required certification even though a weakness has been identified. In such circumstances, the CSA advise that the issuer's disclosure of the weakness should present "an accurate and complete picture" of the condition of the design of the internal controls. To this end, the CSA are of the view that the conclusions about the effectiveness of disclosure controls and procedures (required to be included in the annual MD&A) should include disclosure of any identified weaknesses in disclosure controls and procedures, and given the overlap between disclosure controls and internal control over financial reporting, the annual MD&A should disclose the nature of any weaknesses in the design of the issuer’s internal control over financial reporting, the risks associated with it, and any plans to remediate it; and if there are no plans despite such a weakness, an explanation of why.

The Certification Rule first came into force effective March 30, 2004, and allowed issuer’s to omit certification relating to disclosure controls and internal controls for periods ending on or before March 30, 2005. The Certification Rule was then amended effective June 6, 2005 to provide a further grace period in respect of the certification required for internal controls (which grace period expired with the first year-end following June 30, 2006). The Certification Rule was also subject to a proposed repeal and restatement in conjunction with the proposed, and now defunct, Proposed Multilateral Instrument 52-111 Reporting on Internal Control Over Financial Reporting. As reported in our May 2006 Securities Law Update, pursuant to CSA Notice 52-313, published on March 10, 2006, the CSA have abandoned their plans to implement the proposed separate internal control certification rule (and to repeal and restate the Certification Rule). They instead intend to add the following additional matters to the certificates that are currently required under the Certification Rule, therefore requiring that the CEO and CFO certify that they have, as of the end of the financial year, (i) evaluated the effectiveness of the issuer’s internal control over financial reporting, and (ii) caused the issuer to disclose in its annual MD&A their conclusions about the effectiveness of internal control over financial reporting. It is also proposed that issuers will be required to include a description of the process used for evaluating the effectiveness of the issuer’s internal control over financial reporting and conclusions about such effectiveness in the corresponding annual MD&A.

On February 9, 2007, the CSA published CSA Notice 52-317 stating that the CSA will seek necessary approvals to publish proposed amendments to the Certification Rule by March 2007, and that they intend to propose that such amendments apply to financial years ending on or after June 30, 2008.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.