Canada: Proposed New Requirements For Certification Of Internal Control Over Financial Reporting

Canada’s securities regulators have proposed new requirements for CEO and CFO certifications and related disclosure in management’s discussion and analysis (MD&A) pertaining to internal control over financial reporting.

The new rules are proposed to apply to all reporting issuers except investment funds, beginning with fiscal years ending on or after June 30, 2008. Cross-border issuers would not have to comply with these new requirements if they comply with the U.S. Securities and Exchange Commission’s internal control rules and auditor attestation requirements under section 404 of the Sarbanes-Oxley Act of 2002.

Under the proposed rules, CEOs and CFOs would have to evaluate the effectiveness of the issuer’s internal control over financial reporting and make the following new certifications:

• They have disclosed to the issuer’s auditors, audit committee and board of directors any fraud involving management or other employees with a significant role in internal control over financial reporting; and

• The issuer’s MD&A (i) describes the process used to evaluate the controls; (ii) discloses the CEO’s and CFO’s conclusions about the effectiveness of the controls; (iii) identifies any reportable deficiencies; and (iv) describes the issuer’s remediation plans.

A "reportable deficiency" is a deficiency in the design or operation of internal control over financial reporting that would cause a reasonable person to doubt that the controls provide reasonable assurance about the reliability of the issuer’s financial statements. The proposals include certain accommodations for venture issuers that cannot reasonably remediate a reportable deficiency.

In designing and evaluating internal control over financial reporting, management would be able to exclude proportionately consolidated investments, variable interest entities and businesses that were acquired within 90 days of the end of the reporting period. Issuers would have to disclose these exclusions in MD&A and provide summary financial information for the excluded entities.

The regulators have also published a proposed companion policy that provides guidance to issuers in interpreting and applying the internal control requirements. The guidance includes

• a list of available control frameworks for designing or evaluating internal control over financial reporting (although use of a framework would not be mandatory);

• advice on using a top-down, risk-based approach;

• design challenges and key features of internal control over financial reporting;

• the extent and form of required documentation;

• evaluation tools;

• use of the external auditor or other independent third party to assist in evaluating controls;

• guidance for determining if a reportable deficiency exists; and

• the role of directors and audit committees.

As securities regulators announced in March 2006, issuers will not be required to obtain an auditor’s attestation of the effectiveness of internal control over financial reporting, as is required of U.S. and cross-border companies under SEC rules. Although this represents a significant difference between the U.S. and Canadian regimes, some convergence may occur because the SEC and the U.S. Public Company Accounting Oversight Board are in the process of modifying the auditor attestation requirements and taking other steps to help companies comply with the U.S. rules more cost-effectively.

In addition to the above proposals relating to the evaluation of internal control in 2008 and beyond, the regulators are also proposing certain new requirements relating to the design of internal control. Since CEOs and CFOs are already required to design (or supervise the design of) internal controls, the new requirements, which would come into effect this year, are primarily aimed at enhancing the design certifications and MD&A disclosure rather than changing the substance of the design requirement.

Specifically, CEOs and CFOs would have to certify that the issuer’s MD&A discloses (i) any reportable deficiencies relating to the design of internal controls; (ii) the remediation plans for any design deficiencies (with certain accommodations for venture issuers that cannot reasonably remediate them); (iii) summary financial information for entities that were permitted to be excluded from the design; and (iv) the control framework used to design the controls or a statement that no framework was used.

The proposed new requirements can be obtained on the Ontario Securities Commission’s website at:

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.