Canada: Canadian Securities Administrators Publish Revised Proposed Replacement Of Instrument Relating To Internal Control Reporting And Certification Requirements

Copyright 2008, Blake, Cassels & Graydon LLP

Originally published in Blakes Bulletin on Securities Regulation, May 2008


  • Proposed national instrument would distinguish between venture issuers and non-venture issuers

  • Management would be required to evaluate an issuer's internal control over financial reporting (ICFR) and provide MD&A disclosure about their conclusions on the effectiveness of ICFR

  • Guidance provided on how the design of ICFR and the evaluation of ICFR should be undertaken

  • New certificate would be available for venture issuers

  • Identified material weaknesses would not have to be remediated but issuers would have to disclose its plans, if any, to remediate material weaknesses

The Canadian Securities Administrators (CSA) recently published for comment a revised replacement of Multilateral Instrument 52-109 — Certification of Disclosure in Issuers' Annual and Interim Filings (MI 52-109). If enacted, Proposed National Instrument 52-109 — Certification of Disclosure in Issuers' Annual and Interim Filings (Proposed NI 52-109) would distinguish between (i) "venture issuers", meaning reporting issuers that are not listed on the Toronto Stock Exchange (TSX) or a major exchange or quotation and reporting system outside of Canada, and (ii) "non-venture issuers", meaning reporting issuers that are not venture issuers (referred to herein as issuers).

Proposed NI 52-109 would require management of issuers to evaluate the issuer's internal control over financial reporting (ICFR) in addition to its disclosure controls and procedures (DC&P), and provide management's discussion and analysis (MD&A) disclosure about their conclusions on the effectiveness of the issuer's ICFR and DC&P based on such evaluation.

The CSA had previously published for comment, on March 30, 2007, a proposed National Instrument 52-109 (2007 Proposal). For a summary of the 2007 Proposal, see our April 2007 Blakes Bulletin on Securities Law Proposed Replacement of Instrument Relating to Internal Control Reporting and Certification Requirements on Blakes Web site in our Publications — Corporate Finance & Securities Regulation section.

The most significant changes in Proposed NI 52-109 from the 2007 Proposal are (i) a new form of certificate for venture issuers which does not include representations relating to the establishment and maintenance of DC&P and ICFR, (ii) that issuers are required to use a control framework in the design of ICFR, (iii) that the threshold for reporting a weakness in an issuer's ICFR is a "material weakness" rather than a "reportable deficiency" and (iv) that an issuer does not have to remediate a material weakness that exists as at the end of the period covered by its annual or interim filings, but must disclose its plans, if any, to remediate such material weakness.


The key features of Proposed NI 52-109 when compared with the current MI 52-109 are set out below. Other than the description of the new certificate available for venture issuers, the following requirements under Proposed NI 52-109 apply solely to issuers and do not apply to venture issuers.

Additional Guidance On Design Of Disclosure And Internal Controls

Proposed NI 52-109 explicitly requires that issuers establish and maintain DC&P and ICFR, whereas the current MI 52- 109 only requires certifying officers to certify that they have designed DC&P and ICFR. Although Proposed NI 52-109 does not require specific components for DC&P or ICFR, the proposed Companion Policy provides more guidance than the current MI 52-109 on the components that should be included.

In determining the full scope of these components, the CSA suggest that certifying officers should use a top-down, risk-based approach in the design process and should design such components using their judgment, acting reasonably, giving consideration to various factors particular to an issuer, including its size, nature of business and complexity of operations. The Companion Policy contains significant guidance on how this approach should be undertaken.

Proposed NI 52-109 allows the certifying officers of an issuer to limit the scope of the design of its DC&P and ICFR to exclude DC&P controls, policies and procedures of underlying entities in which the issuer has an interest such as proportionately consolidated entities, variable interest entities and businesses that the issuer acquired not more than 365 days before the end of the period to which the certificate relates (this compares to a 90-day period in the 2007 Proposal). However, the issuer must disclose in its MD&A the scope of this limitation and summary financial information of such underlying entities.

Evaluation Of Internal Control Over Financial Reporting

Certifying officers of issuers will be required to certify in their annual certificates that they have evaluated the effectiveness of the issuer's ICFR at the financial year end and that they have caused the issuer to disclose in its annual MD&A their conclusions from this evaluation. Proposed NI 52-109 does not prescribe how the certifying officers should conduct their annual evaluation of an issuer's ICFR. However, the proposed Companion Policy does provide guidance on the tools that they should use in their evaluation, which includes self-assessments. In the proposed Companion Policy, the CSA also indicate that the nature, timing and extent of evaluation procedures necessary for certifying officers to obtain reasonable support for the effective operation of ICFR depends on the level of risk each component is designed to address.

Guidance is also provided in the proposed Companion Policy to assist certifying officers in determining whether a deficiency is addressed by a compensating control or a mitigating procedure and how that determination affects their conclusions on the effectiveness of ICFR.

Control Framework For Issuers

Proposed NI 52-109 requires an issuer to use a control framework in the design of its ICFR. This requirement was not included in the 2007 Proposal. The proposed Companion Policy states that the framework used should be a suitable control framework that is established by a body or group that has followed due-process procedures. Although the CSA have not mandated the use of any particular framework, the proposed Companion Policy refers to certain examples, such as:

  • the Risk Management and Governance: Guidance on Control (COCO Framework), formerly known as Guidance of the Criteria of Control Board, published by the Canadian Institute of Chartered Accountants;

  • the Internal Control — Integrated Framework (COSO Framework) published by the Committee of Sponsoring Organizations of the Treadway Commission (COSO); and

  • the Guidance on Internal Control (Turnbull Guidance) published by the Institute of Chartered Accountants in England and Wales.

A smaller issuer may also refer to Internal Control over Financial Reporting — Guidance for Smaller Public Companies published by COSO, which provides guidance to smaller companies on the implementation of the COSO Framework.

Increased MD&A Disclosure

Rather than referring to the concept of a "reportable deficiency" as set out in the 2007 Proposal, Proposed NI 52-109 requires an issuer's certifying officer to identify and disclose a "material weakness" in the design or operation of its ICFR, the definition of which was adopted from the U.S. definition of "material weakness" under Section 404 of the Sarbanes-Oxley Act of 2002. The threshold for meeting the definition of a "material weakness" is whether there exists "a deficiency, or combination of deficiencies in ICFR such that there is a reasonable possibility that a material misstatement of the reporting issuer's annual or interim financial statements will not be prevented or detected on a timely basis." If the certifying officers of an issuer identify a "material weakness" in the design or operation of its ICFR which exists as at the end of the period covered by its annual or interim filings, they cannot certify that the issuer's ICFR is effective. Under Proposed NI 52-109, an issuer is required to disclose in its annual and interim MD&A:

  • with respect to material weaknesses:

    • a description of each material weakness in the design or operation of its ICFR;

    • the impact of the material weakness on the issuer's financial reporting and its ICFR;

    • the issuer's current plans, if any, or any actions already undertaken, for remediating the material weakness;

  • the certifying officers' conclusions about the effectiveness of its ICFR (annual only);

  • the name of the control framework used in the design of its ICFR; and

  • if applicable, any limitation in the scope of the design of its ICFR.

Expanded Certificates For Issuers

Proposed NI 52-109 expands the required full annual and interim certificates currently applicable to issuers to include representations from its certifying officers that:

  • the issuer has disclosed in its annual/interim MD&A information regarding the effectiveness of its ICFR and any material weakness identified therein (see above under "Increased MD&A Disclosure"); and

  • the certifying officers have disclosed to the issuer's auditors and the board of directors or the audit committee any fraud that involves management or other employees who have a significant role in the issuer's ICFR.

As an alternative to the full annual certificate, Proposed NI 52-109 permits issuers to file annual certificates that exclude certifications relating to ICFR for the first financial period after an initial public offering or reverse takeover.

New Certificates For Venture Issuers

Instead of requiring venture issuers to file full annual and interim certificates, Proposed NI 52-109 allows venture issuers to file a "venture issuer basic certificate" which does not include representations relating to the establishment and maintenance of DC&P and ICFR. The basic certificate includes a "note to reader" explaining how the basic certificate differs from the certificate required to be filed by issuers.

A venture issuer filing a basic certificate is no longer required to discuss in its annual or interim MD&A the design or operating effectiveness of DC&P or ICFR. However, if a venture issuer files a basic certificate and chooses to discuss the design or operation of one or more components of its DC&P or ICFR in its annual or interim MD&A, the CSA suggest in the proposed Companion Policy that the venture issuer should include a discussion in such MD&A that is similar to the disclosure in the "note to reader" on its basic certificate. A venture issuer may, at its option, still file a full certificate.

Venture issuers are also permitted under Proposed NI 52-109 to file annual certificates that exclude certifications relating to ICFR for the first financial period after becoming a non-venture issuer (i.e., listed on the TSX or a major exchange or quotation and reporting system outside of Canada, with some exceptions).


If adopted, Proposed NI 52-109 would repeal and replace MI 52-109 and would apply to all reporting issuers other than investment funds. The proposed effective date of Proposed NI 52-109 is December 15, 2008 and Proposed NI 52-109 would apply to all annual and interim filing for periods ending on or after that date.


Interested parties are invited by the CSA to submit written comments on Proposed NI 52-109 by June 17, 2008.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on

Click to Login as an existing user or Register so you can print this article.

Events from this Firm
26 Oct 2018, Other, Vancouver, Canada

Cybersecurity, including data privacy and security obligations, has become a critical chapter in every company’s risk management playbook.

30 Oct 2018, Other, Toronto, Canada

Please join us for discussions on recent updates and legal developments in pension and employee benefits as well as employment law issues.

12 Nov 2018, Other, Toronto, Canada

Stories aren’t falsehoods. Stories are the root of all effective human communications: they motivate, animate and clarify. If you aren’t telling stories, you probably aren’t getting your point across.

In association with
Related Topics
Related Articles
Related Video
Up-coming Events Search
Font Size:
Mondaq on Twitter
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
Email Address
Company Name
Confirm Password
Mondaq Topics -- Select your Interests
 Law Performance
 Law Practice
 Media & IT
 Real Estate
 Wealth Mgt
Asia Pacific
European Union
Latin America
Middle East
United States
Worldwide Updates
Registration (you must scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of

To Use you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.


The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.


Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions