The Canadian Securities Administrators published for comment an updated rule in respect of certification of disclosure in annual and interim filings. The proposed rule would be a revised version of National Instrument 52-109 – Certification of Disclosure in Issuers’ Annual and Interim Filings. The CSA had earlier announced that it would not proceed with the implementation of previously published rules requiring a report of management on its assessment of the effectiveness of the issuer’s internal controls and a report of the issuer’s auditors in this respect.
This previous proposal was based on the requirements of section 404 on the Sarbanes–Oxley Act of 2002.
The current Canadian certification rules focus on the design and evaluation of the effectiveness of the issuer’s disclosure controls and procedures (DC&P) as well as the design of internal control over financial reporting (ICFR). Under the proposed rule, the required management certification would be extended to the evaluation of the effectiveness of ICFR.
The proposed rule, which has a proposed effective date of June 30, 2008, will apply to all reporting issuers in Canada (other than investment funds), including "venture issuers".
Summary of the Proposed Rule
The focus of the proposed rule is to mandate that annual and interim certificates signed by the CEO and CFO be expanded and to require enhanced disclosure in the MD&A. These new requirements are described in further detail below.
New Annual Certificate
The annual certificate required to be signed by each of the CEO and CFO (the certifying officers) will need to address the following:
- Review – confirmation that the certifying officers have reviewed the annual information form, annual financial statements, annual MD&A and all documents incorporated by reference.
- No misrepresentations – confirmation that the annual filings do not contain any untrue statement of a material fact or omit to state of material fact required to be stated to make a statement not misleading (based on the knowledge of the certifying officer having exercised reasonable diligence).
- Fair presentation – confirmation that the annual financial statements and other financial information included in the annual filings fairly present in all material respects the financial condition and results of operations and cash flows of the issuers (based on the knowledge of the certifying officer having exercised reasonable diligence).
- Responsibility – confirmation that the certifying officers are responsible for establishing and maintaining DC&P and ICFR.
- Design – confirmation that the certifying officers have:
- designed, or caused to be designed under their supervision, DC&P to provide reasonable assurance with respect to specified disclosure matters; and
- designed, or caused to be designed under their supervision, ICFR to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements in accordance with GAAP.
- Control Framework – confirmation that the MD&A identifies the control framework used to design the issuer’s ICFR or states that no framework was used.
- Reportable deficiency relating to design; limitation on scope of design – confirmation that the issuer has made the prescribed disclosure in its MD&A with respect to a reportable deficiency and limitation on the scope of design, if applicable.
- Evaluation – confirmation that the certifying officers have evaluated or caused to be evaluated under their supervision, the effectiveness of the issuer’s DC&P and ICFR and have made prescribed disclosure relating thereto in the MD&A.
- Reporting of changes – confirmation that the issuer has disclosed any change in the issuer’s ICFR that has occurred during the relevant period.
- Reporting of fraud – confirmation that the certifying officers have disclosed to the issuer’s auditors and the board of directors or audit committee any fraud that involves management or other employees who have a significant role in the issuer’s ICFR.
New Interim Certificate
The certificate to be signed by the certifying officers in respect of each interim period will be similar to the annual certificate, although it will not require certification of evaluation of the effectiveness of the issuer’s DC&P or ICFR for interim periods.
Disclosure in the MD&A
The proposed rule mandates the following disclosure in the MD&A relating to ICFR.
- Control Framework – identification of the control framework used to design the ICFR, if any;
- Reportable Deficiencies – any reportable deficiency (as defined) in ICFR; a description of the remediation plan to address the reportable deficiency; and the completion date or expected completion date of the remediation plan.
Where an issuer cannot reasonably remediate the reportable deficiency, the issuer is required to disclose the following:
- the risks the issuer faces relating to the reportable deficiency, and
- whether the issuer has mitigated those risks and, if so, how.
The proposed rule does not require the use of a control framework for the design of ICFR or the evaluation of the effectiveness of ICFR against a control framework. The CSA comments in the companion policy that the following control frameworks are available:
- Risk Management and Governance: Guidance on Control (COCO Framework), published by The Canadian Institute of Chartered Accountants;
- Internal Control-Integrated Framework (COSO Framework) published by the Committee of Sponsoring Organizations; and
- Guidance on Internal Control (Turnbull Guidance).
The CSA notes that smaller issuers can refer to Internal Control over Financial Reporting- Guidance for Smaller Public Companies published by the Committee of Sponsoring Organizations (COSO).
The proposed rule would allow certifying issuers to limit the scope of the design of DC&P and ICFR to exclude (i) a proportionately consolidated entity; (ii) a variable interest entity; (iii) a business that the issuer has acquired within 90 days before year-end.
The proposed rule does not prescribe the approach certifying officers should use to design the issuer’s DC&P and ICFR. However, the CSA comments in the companion policy that it believes that a "a topdown, risk based approach is an efficient and cost-effective approach that certifying officers should consider". The CSA also provides commentary and guidance with respect to the importance of an issuer’s control environment in the design and evaluation of DC&P and ICFR. The CSA also provides commentary with respect to the need for the board of directors to understand the basis upon which certifying officers concluded that any particular deficiency or combination of deficiencies did or did not constitute a reportable deficiency.
Transition period and exemptions
The proposed rule is expected to be effective June 29, 2008 and accordingly, the certification with respect to financial years ending on or before June 29, 2008 would benefit from certain modifications to accommodate the transition to the new rule.
As is the case with the current rule, issuers who comply with the certification requirements of U.S. securities laws will be able to comply with the proposed rule by filing in Canada the certificates filed in the U.S. Exemptions will also be available for certain foreign issuers, exchangeable security issuers and credit support issuers.
Although the proposed rule stops short of requiring compliance with an auditor’s attestation with respect to management’s assessment of the effectiveness of ICFR, the proposed rule imposes significant new obligations on issuers (and their certifying officers) with respect to evaluation of DC&P and ICFR and disclosure relating thereto. Issuers will need to consider their internal processes and procedures well in advance of the proposed implementation date.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.