COMPANION POLICY 52-109CP TO NATIONAL INSTRUMENT 52-109 CERTIFICATION OF DISCLOSURE IN ISSUERS’ ANNUAL AND INTERIM FILINGS
TABLE OF CONTENTS PART 1 – GENERAL 1.1 Introduction and purpose 1.2 Application to non-corporate entities 1.3 Definitions PART 2 – FORM OF CERTIFICATES 2.1 Prescribed language PART 3 – CERTIFYING OFFICERS 3.1 One individual acting as chief executive officer and chief financial officer 3.2 Individuals performing the functions of a chief executive officer or chief financial officer 3.3 Delegation permitted 3.4 “New” certifying officers PART 4 – FAIR PRESENTATION AND FINANCIAL CONDITION 4.1 Fair presentation of financial condition, results of operations and cash flows 4.2 Financial condition PART 5 – CONTROL FRAMEWORKS FOR ICFR 5.1 No requirement to use a control framework 5.2 Types of control frameworks 5.3 Scope of control frameworks PART 6 – DESIGN OF DC&P AND ICFR 6.1 General 6.2 Overlap between DC&P and ICFR 6.3 Reasonable assurance 6.4 Judgment 6.5 Risk considerations for designing DC&P and ICFR 6.6 Control environment 6.7 Controls, policies and procedures to include in DC&P design 6.8 Controls, policies and procedures to include in ICFR design 6.9 Identification of significant accounts and relevant assertions in the context of a top-down, risk-based approach 6.10 ICFR design challenges 6.11 ICFR design accommodation 6.12 Corporate governance for internal controls 6.13 Maintaining design 6.14 Efficiency and effectiveness 6.15 Documenting design PART 7 – EVALUATION OF DC&P AND ICFR 7.1 General 7.2 Scope of evaluation 7.3 Judgment 7.4 Knowledge, supervision and objectivity
7.5 Use of external auditor or other independent third party 7.6 Evaluation tools 7.7 Certifying officers’ daily interaction 7.8 Walkthroughs 7.9 Reperformance 7.10 Timing of evaluation 7.11 Scope of evaluation for venture issuers relying on the ICFR design accommodation 7.12 Documenting evaluations PART 8 – IDENTIFICATION AND DISCLOSURE OF A REPORTABLE DEFICIENCY 8.1 ICFR – reportable deficiency 8.2 Assessing significance of deficiencies in ICFR 8.3 Strong indicators of a reportable deficiency 8.4 Disclosure of a reportable deficiency in ICFR relating to design 8.5 Disclosure of a reportable deficiency in ICFR relating to operation 8.6 Reporting of changes in ICFR after remediation 8.7 Disclosure for venture issuers relying on the ICFR design accommodation PART 9 – ROLE OF BOARD OF DIRECTORS AND AUDIT COMMITTEE 9.1 Board of directors 9.2 Audit committee 9.3 Reporting of fraud PART 10 – SUBSIDIARIES, VARIABLE INTEREST ENTITIES, PROPORTIONATELY CONSOLIDATED ENTITIES, EQUITY INVESTMENTS AND PORTFOLIO INVESTMENTS 10.1 Underlying entities 10.2 Fair presentation 10.3 Design and evaluation of DC&P and ICFR PART 11 – BUSINESS ACQUISITIONS 11.1 Access to acquired business 11.2 Disclosure of scope limitation PART 12 – EXEMPTIONS 12.1 Issuers that comply with U.S. laws PART 13 – LIABILITY FOR CERTIFICATES CONTAINING MISREPRESENTATIONS 13.1 Liability for certificates containing misrepresentations PART 14 – TRANSITION 14.1 Representations regarding DC&P and ICFR following the transition periods 2
PART 1 – GENERAL 1.1 Introduction and purpose – National Instrument 52-109 Certification of Disclosure in Issuers’ Annual and Interim Filings (the Instrument) sets out disclosure and filing requirements for all reporting issuers, other than investment funds. The objective of these requirements is to improve the quality, reliability and transparency of annual filings, interim filings and other reports that issuers file or submit under securities legislation.
The purpose of this Companion Policy (the Policy) is to help you understand how the securities regulatory authorities interpret or apply certain provisions of the Instrument.
1.2 Application to non-corporate entities – The Instrument applies to both corporate and non-corporate entities. Where the Instrument or the Policy refers to a particular corporate characteristic, such as an audit committee of the board of directors, the reference should be read to also include any equivalent characteristic of a non-corporate entity.
1.3 Definitions – For the purposes of the Policy, “DC&P” means disclosure controls and procedures (as defined in the Instrument) and “ICFR” means internal control over financial reporting (as defined in the Instrument).
PART 2 – FORM OF CERTIFICATES 2.1 Prescribed language – The annual and interim certificates must be filed in the exact language prescribed in the required form (including the form number and form title) without any amendment. Failure to do so will be a breach of the Instrument.
PART 3 – CERTIFYING OFFICERS 3.1 One individual acting as chief executive officer and chief financial officer – If only one individual is serving as the chief executive officer and chief financial officer of an issuer, or is performing functions similar to those performed by such officers, that individual may either:
(a) provide two certificates (one in the capacity of the chief executive officer and the other in the capacity of the chief financial officer); or
(b) provide one certificate in the capacity of both the chief executive officer and chief financial officer and file this certificate twice, once in the filing category for certificates of chief executive officers and once in the filing category for certificates of chief financial officers.
3.2 Individuals performing the functions of a chief executive officer or chief financial officer (1) No chief executive officer or chief financial officer – If an issuer does not have a chief executive officer or chief financial officer, each individual who performs functions similar to those performed by a chief executive officer or chief financial officer must certify the annual filings and interim filings. If an issuer does not have a chief executive officer or chief financial officer, in order to comply with the Instrument the issuer will need to identify at least one individual who performs functions similar to those performed by a chief executive officer or chief financial officer, as applicable.
3
(2) Management resides at underlying business entity level or external management company – In the case of a reporting issuer where executive management resides at the underlying business entity level or in an external management company such as an income trust (as described in National Policy 41-201 Income Trusts and Other Indirect Offerings), the chief executive officer and chief financial officer of the underlying business entity or the external management company should generally be identified as individuals performing functions for the reporting issuer similar to a chief executive officer and chief financial officer.
(3) Limited partnership – In the case of a limited partnership reporting issuer with no chief executive officer and chief financial officer, the chief executive officer and chief financial officer of its general partner should generally be identified as individuals performing functions for the limited partnership reporting issuer similar to a chief executive officer and chief financial officer.
3.3 Delegation permitted – Section 2.1 of the Instrument requires issuers to cause their certifying officers to design, or cause to be designed under their supervision, the issuer’s DC&P and ICFR. Paragraph 6 of the annual certificates requires the certifying officers to evaluate the effectiveness of the issuer’s DC&P, and in the case of Form 52-109F1 the effectiveness of ICFR. Employees or third parties, supervised by the certifying officers, may conduct the design and evaluation of the issuer’s DC&P and ICFR. Such employees should individually and collectively have the necessary knowledge, skills, information and authority to design or evaluate, as applicable, the DC&P and ICFR for which they have been assigned responsibilities. Nevertheless, certifying officers must retain overall responsibility for the design, evaluation and resulting MD&A disclosure concerning the issuer’s DC&P and ICFR.
3.4 “New” certifying officers – An individual who is the chief executive officer or chief financial officer at the time that an issuer files annual and interim certificates is the individual who must sign a certificate.
The forms included in the Instrument require each certifying officer to certify that he or she has designed, or caused to be designed under his or her supervision, the issuer’s DC&P and ICFR. If an issuer’s DC&P and ICFR have been designed prior to a certifying officer assuming office, the certifying officer would:
(a) review the design of the existing DC&P and ICFR after assuming office; and (b) design any modifications to the existing DC&P and ICFR determined to be necessary following his or her review,
prior to certifying the design of the issuer’s DC&P and ICFR. PART 4 – FAIR PRESENTATION AND FINANCIAL CONDITION 4.1 Fair presentation of financial condition, results of operations and cash flows (1) Fair presentation not limited to issuer’s GAAP –The forms included in the Instrument require each certifying officer to certify that an issuer’s financial statements (including prior period comparative financial information) and other financial information included in the annual or interim filings fairly present in all material respects the financial condition, results of operations and cash flows of the issuer, as of the date and for the periods presented.
This certification is not qualified by the phrase “in accordance with generally accepted accounting principles” which is typically included in audit reports accompanying annual financial statements. The forms specifically exclude this qualification to prevent certifying officers from relying entirely on compliance with the issuer’s GAAP in this representation, particularly as the issuer’s GAAP financial statements might not fully reflect the financial condition of the issuer. Certification is intended to provide assurance that the financial information disclosed in the annual filings or interim filings, viewed in its entirety, provides a materially accurate and complete picture that may be broader than financial reporting under the issuer’s GAAP. As a result, certifying officers cannot limit the fair presentation representation by referring to the issuer’s GAAP.
Although the concept of fair presentation as used in the annual and interim certificates is not limited to compliance with the issuer’s GAAP, this does not permit an issuer to depart from the issuer’s GAAP in preparing its financial statements. If a certifying officer believes that the issuer’s financial statements do not fairly present the issuer’s financial condition, the certifying officer should ensure that the issuer’s MD&A includes any necessary additional disclosure.
(2) Quantitative and qualitative factors – The concept of fair presentation encompasses a number of quantitative and qualitative factors, including:
(a) selection of appropriate accounting policies; (b) proper application of appropriate accounting policies; (c) disclosure of financial information that is informative and reasonably reflects the underlying transactions; and
(d) additional disclosure necessary to provide investors with a materially accurate and complete picture of financial condition, results of operations and cash flows.
4.2 Financial condition – The Instrument does not formally define financial condition. However, the term “financial condition” in the annual certificates and interim certificates reflects the overall financial health of the issuer and includes the issuer’s financial position (as shown on the balance sheet) and other factors that may affect the issuer’s liquidity, capital resources and solvency.
PART 5 – CONTROL FRAMEWORKS FOR ICFR 5.1 No requirement to use a control framework – The Instrument does not require certifying officers to design ICFR using a control framework or to evaluate the effectiveness of ICFR against a control framework. However, certifying officers might find it useful to refer to a control framework when designing or evaluating the effectiveness of ICFR. Regardless of the certifying officers’ decision to use a control framework, paragraph 5.1 in the annual certificates requires the issuer’s annual MD&A to include a statement identifying the control framework the certifying officers used to design the issuer’s ICFR or a statement that they did not use a framework, as applicable.
5.2 Types of control frameworks – The following control frameworks are available: (a) the Risk Management and Governance: Guidance on Control (COCO Framework), formerly known as Guidance of the Criteria of Control Board, published by The Canadian Institute of Chartered Accountants;
5
(b) the Internal Control – Integrated Framework (COSO Framework) published by The Committee of Sponsoring Organizations of the Treadway Commission (COSO); and
(c) the Guidance on Internal Control (Turnbull Guidance) published by The Institute of Chartered Accountants in England and Wales.
These frameworks were designed with larger issuers in mind; however, these frameworks include elements that apply to smaller issuers. Smaller issuers can also refer to Internal Control over Financial Reporting – Guidance for Smaller Public Companies published by COSO, which provides guidance to smaller public companies on the implementation of the COSO Framework.
In addition, Control Objectives for Information and Related Technology Framework (COBIT) published by the IT Governance Institute, might provide useful guidance for the design and evaluation of information technology controls that form part of an issuer’s ICFR.
5.3 Scope of control frameworks – The control frameworks referred to in section 5.2 include in their definition of “internal control” three general categories: effectiveness and efficiency of operations, reliability of financial reporting and compliance with applicable laws and regulations. ICFR is a subset of internal controls relating to financial reporting. ICFR does not encompass the elements of these control frameworks that relate to effectiveness and efficiency of an issuer’s operations or an issuer’s compliance with applicable laws and regulations, except for compliance with the applicable laws and regulations directly related to the preparation of financial statements.
PART 6 – DESIGN OF DC&P AND ICFR 6.1 General – Most sections in this part apply to the design of both DC&P (DC&P design) and ICFR (ICFR design); however, some sections provide specific guidance relating to DC&P design or ICFR design. The term “design” in this context generally includes both developing and implementing the controls, policies and procedures that comprise DC&P and ICFR. This Policy often refers to such controls, policies and procedures as the “components” of DC&P and ICFR.
6.2 Overlap between DC&P and ICFR – There is a substantial overlap between the definitions of DC&P and ICFR. However, some elements of DC&P are not subsumed within the definition of ICFR and some elements of ICFR are not subsumed within the definition of DC&P. For example, an issuer’s DC&P should include those elements of ICFR that provide reasonable assurance that transactions are recorded as necessary to permit the preparation of financial statements in accordance with the issuer’s GAAP. However, the issuer’s DC&P might not include certain elements of ICFR, such as those pertaining to the safeguarding of assets.
6.3 Reasonable assurance – The definition of DC&P includes reference to reasonable assurance that information required to be disclosed by the issuer in its annual filings, interim filings or other reports filed or submitted by it under securities legislation is recorded, processed, summarized and reported within the time periods specified in the securities legislation. The definition of ICFR includes the phrase “reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with the issuer’s GAAP”. In this part the term “reasonable assurance” refers to one or both of the above uses of this term.
The terms “reasonable”, “reasonably” and “reasonableness” in the context of the Instrument do not imply a single conclusion or methodology, but encompass a range of potential conduct, conclusions or methodologies upon which certifying officers may base their decisions.
6
6.4 Judgment – The Instrument does not prescribe specific components of DC&P or ICFR or their degree of complexity. Certifying officers should design the components and complexity of DC&P and ICFR using their judgment, acting reasonably, giving consideration to various factors particular to an issuer, including its size, nature of business and complexity of operations.
6.5 Risk considerations for designing DC&P and ICFR (1) Approaches to consider for design – The Instrument does not prescribe the approach certifying officers should use to design the issuer’s DC&P or ICFR. However, we believe that a top-down, risk-based approach is an efficient and cost-effective approach that certifying officers should consider. This approach will allow certifying officers to avoid unnecessary time and effort designing components of DC&P and ICFR that are not required to obtain reasonable assurance. Alternatively, certifying officers may use some other approach to design, depending on the issuer’s size, nature of business and complexity of operations.
(2) Top-down, risk-based approach – Under a top-down, risk-based approach to designing DC&P and ICFR certifying officers first identify and understand risks faced by the issuer in order to determine the scope and necessary complexity of the issuer’s DC&P or ICFR. A top-down, risk-based approach helps certifying officers to focus their resources on the areas of greatest risk and avoid expending unnecessary resources on areas with little or no risk.
Under a top-down, risk-based approach, certifying officers would initially consider risks without considering any existing controls of the issuer. Using this approach to design DC&P and ICFR, the certifying officers would identify the risks that could reasonably result in a material misstatement, which includes misstatements due to error, fraud or omission in disclosure. Identifying risks involves considering the size and nature of the issuer’s business and the structure and complexity of business operations. For the design of DC&P, the certifying officers would assess risks for various types and methods of disclosure. For the design of ICFR, identifying risks also involves identifying significant accounts and relevant assertions. Once the risks are identified the certifying officers would then ensure that the DC&P and ICFR designs include controls, policies and procedures to address each of the identified risks.
(3) Fraud risk – When identifying risks, certifying officers should explicitly consider the vulnerability of the entity to fraudulent activity (e.g., fraudulent financial reporting and misappropriation of assets). Certifying officers should consider how incentives (e.g., compensation programs) and pressures (e.g., meeting analysts’ expectations) may affect risks, and what areas of the business provide opportunity for an employee, or combination of employees, to commit fraud.
(4) Designing controls, policies and procedures – If the certifying officers choose to use a top-down, risk-based approach, they would design specific controls, policies and procedures that, in combination with an issuer’s control environment, appropriately address the risks discussed in subsections (2) and (3).
If certifying officers choose to use an approach other than a top-down, risk-based approach, they should still consider whether the combination of the components of DC&P and ICFR that they have designed are a sufficient basis for the representations about reasonable assurance required in paragraph 5 of the certificates.
6.6 Control environment (1) Importance of control environment – An issuer’s control environment is the foundation upon which all other components of DC&P and ICFR are based and influences the tone of an organization. An effective control environment contributes to the reliability of all other controls, processes and procedures by creating an atmosphere where errors or fraud are either less likely to occur, or if they occur, more likely to be detected. An effective control environment also supports the flow of information within the issuer, thus promoting compliance with an issuer’s disclosure policies.
An effective control environment alone will not provide reasonable assurance that any of the risks identified will be addressed and managed. An ineffective control environment however, may undermine an issuer’s controls, policies and procedures designed to address specific risks and could create systemic problems which are difficult to resolve.
(2) Elements of a control environment – A key element of an issuer’s control environment is the attitude towards controls demonstrated by the board of directors, audit committee and senior management through their direction and actions in the organization. An appropriate tone at the top can help to develop a culture of integrity and accountability at all levels of an organization which support other components of DC&P and ICFR. The tone at the top should be reinforced on an ongoing basis by those accountable for the organization’s DC&P and ICFR.
In addition to an appropriate tone at the top, certifying officers should consider the following elements of an issuer’s control environment:
(a) organizational structure of the issuer – a centralized structure which relies on established and documented lines of authority and responsibility may be appropriate for some issuers, whereas a decentralized structure which allows employees to communicate informally with each other at all levels may be more appropriate for some smaller issuers;
(b) management’s philosophy and operating style – a philosophy and style that emphasises managing risks with appropriate diligence and demonstrates receptiveness to negative as well as positive information will foster a stronger control environment.
(c) integrity, ethics, and competence of personnel – preventive and detective controls, policies and procedures are more likely to be effective if they are carried out by ethical, competent and adequately-supervised employees;
(d) external influences that affect the issuer’s operations and risk management practices – these could include global business practices, regulatory supervision, insurance coverage and legislative requirements; and
(e) human resources policies and procedures – an issuer’s hiring, training, supervision, compensation, termination and evaluation practices can affect the quality of the issuer’s workforce and its employees’ attitudes towards controls.
(3) Sources of information about the control environment – Certifying officers should consider the following documentation of an issuer’s control environment:
(a) written codes of conduct or ethics policies; 8
(b) procedure manuals, operating instructions, job descriptions and training materials; (c) evidence that employees have confirmed their knowledge and understanding of items (a) and (b);
(d) organizational charts that identify approval structures and the flow of information; and (e) written correspondence provided by an issuer’s external auditor regarding the issuer’s control environment.
6.7 Controls, policies and procedures to include in DC&P design – In order for DC&P to provide reasonable assurance that information required by securities legislation to be disclosed by an issuer is recorded, processed, summarized and reported within the required time periods, DC&P should generally include the following components:
(a) written communication to an issuer’s employees and directors of the issuer’s disclosure obligations, including the purpose of disclosure and DC&P and deadlines for specific filings and other disclosure;
(b) assignment of roles, responsibilities and authorizations relating to disclosure; (c) guidance on how authorized individuals should assess and document the materiality of information or events for disclosure purposes; and
(d) a policy on how the issuer will receive, document, evaluate and respond to complaints or concerns received from internal or external sources regarding financial reporting or other disclosure issues.
An issuer might choose to include these components in a document called a disclosure policy. Part 6 of National Policy 51-201 Disclosure Standards encourages issuers to establish a written disclosure policy and discusses in more detail some of these components. For issuers that are subject to Multilateral Instrument 52-110 Audit Committees (MI 52-110), compliance with the instrument will also form part of the issuer’s DC&P design.
6.8 Controls, policies and procedures to include in ICFR design – In order for ICFR to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with the issuer’s GAAP, it should generally include the following components:
(a) controls for initiating, authorizing, recording, processing and reporting transactions relating to significant accounts and disclosures;
(b) controls for initiating and processing non-routine transactions and journal entries, including those requiring judgments and estimates;
(c) procedures for selecting and applying appropriate accounting policies that are in accordance with the issuer’s GAAP;
(d) controls to prevent and detect fraud; 9
(e) controls on which other controls are dependent, such as information technology general controls; and
(f) controls over the period-end financial reporting process, including controls over entering transaction totals in the general ledger, controls over initiating, authorizing, recording and processing journal entries in the general ledger and controls over recording recurring and non-recurring adjustments to the financial statements (e.g., consolidating adjustments and reclassifications).
6.9 Identification of significant accounts and relevant assertions in the context of a top-down, risk-based approach
(1) Significant accounts and assertions – As described in subsection 6.5(2), a top-down, risk-based approach to designing DC&P and ICFR involves identification of significant accounts and the relevant assertions that affect each significant account. This method assists certifying officers in identifying the risks that could reasonably result in a material misstatement in the issuer’s financial statements, and not all possible risks the issuer faces.
(2) Identifying significant accounts – A significant account could be an individual line item on the issuer’s financial statements, or part of a line item. For example, an issuer might present “net sales” on the income statement, which represents a combination of “gross sales” and “sales returns”, but might identify “gross sales” as a significant account. By identifying part of a line item as a significant account, certifying officers might be able to focus on balances that are subject to specific risks that can be separately identified.
(3) Considerations for identifying significant accounts – A minimum threshold expressed as a percentage or a dollar amount could provide a reasonable starting point for evaluating the significance of an account. However, certifying officers should use their judgment, taking into account qualitative factors, to assess accounts for significance above or below that threshold. Certifying officers should consider the following items when determining whether an account is significant:
(a) the size, nature and composition of the account; (b) the risk of overstatement or understatement of the account; (c) the susceptibility to misstatement due to errors or fraud; (d) the volume of activity, complexity and homogeneity of the individual transactions processed through the account;
(e) the accounting and reporting complexities associated with the account; (f) the likelihood (or possibility) of significant contingent liabilities; (g) the existence of related party transactions; (h) the impact of the account on existing debt covenants; and (i) changes in the account characteristics since the certifying officers last certified the ICFR design.
10
(4) Assertions – Using a top-down, risk-based approach, the certifying officers identify those assertions for each significant account that presents a risk that could reasonably result in a material misstatement in that significant account. The relevance of the following assertions should be considered for each significant account:
(a) existence or occurrence – whether assets or liabilities exist and whether transactions and events that have been recorded have occurred and pertain to the reporting issuer;
(b) completeness – whether all assets, liabilities and transactions that should have been recorded have been recorded;
(c) valuation or allocation – whether assets, liabilities, equity, revenues and expenses have been included in the financial statements at appropriate amounts and any resulting valuation or allocation adjustments are appropriately recorded;
(d) rights and obligations – whether assets are legally owned by the issuer and liabilities are the obligations of the issuer; and
(e) presentation and disclosure – whether particular components of the financial statements are appropriately presented and described and disclosures are clearly expressed.
(5) Identifying relevant assertions for each significant account – To identify relevant assertions for each significant account the certifying officers determine the source of potential misstatements for each significant account balance or disclosure. When determining whether a particular assertion is relevant, the certifying officers should consider the nature of the assertion, the volume of transactions or data related to the assertion and the complexity of the underlying systems supporting the assertion. If an assertion does not present a risk that could reasonably result in a material misstatement in a significant account, it is likely not a relevant assertion.
For example, valuation might not be relevant to the cash account unless currency translation is involved; however, existence and completeness are always relevant. Similarly, valuation might not be relevant to the gross amount of the accounts receivable balance, but is relevant to the related allowance accounts.
(6) Identifying controls, policies and procedures for relevant assertions – Using a top-down, risk-based approach, the certifying officers design components of ICFR to address each relevant assertion. The certifying officers do not need to design all possible components of ICFR to address each relevant assertion, but would identify and design an appropriate combination of preventive and detective controls, policies and procedures to address all relevant assertions.
The certifying officers should consider the efficiency with which an issuer’s ICFR design could be evaluated when designing an appropriate combination of ICFR components. If more than one potential control, policy or procedure could address a relevant assertion, certifying officers could select the control, policy or procedure that would be easiest to evaluate (e.g., automated control vs. manual control). Similarly, if a control, policy or procedure can be designed to address more than one relevant assertion then certifying officers could choose it rather than a control, policy or procedure that addresses only one relevant assertion.
When designing a combination of controls, policies and procedures, the certifying officers should also consider how the components in section 6.8 of the Policy interact with each other. For example, the certifying officers should consider how information technology general controls
11
interact with controls, policies and procedures over initiating, authorizing, recording, processing and reporting transactions.
6.10 ICFR design challenges – Key features of ICFR and related design challenges are described below.
(a) Segregation of duties – The term “segregation of duties” refers to one or more employees or procedures acting as a check and balance on the activities of another so that no one individual has control over all steps of processing a transaction or other activity. Assigning different people responsibility for authorizing transactions, recording transactions, reconciling information and maintaining custody of assets reduces the opportunity for any one employee to conceal errors or perpetrate fraud in the normal course of his or her duties. Segregating duties also increases the chance of discovering inadvertent errors early. If a reporting issuer has few employees, a single employee may be authorized to initiate, approve and effect payment for transactions and it might be difficult to re-assign responsibilities to segregate those duties appropriately. If an issuer has a limited ability to segregate duties the certifying officers should consider whether other controls adequately address the risk of errors or fraud associated with incompatible activities. For example, extensive board or audit committee oversight of the incompatible activities could compensate for the lack of segregation of duties among staff.
(b) Board expertise – An effective board objectively reviews management’s judgments and is actively engaged in shaping and monitoring the issuer’s control environment. An issuer might find it challenging to attract directors with the appropriate financial reporting expertise, objectivity, time, ability and experience.
(c) Controls over management override – A reporting issuer might be dominated by a founder or other strong leader who exercises a great deal of discretion and provides personal direction to other employees. Although this type of individual can help a reporting issuer meet its growth and other objectives, such concentration of knowledge and authority could allow the individual an opportunity to override established policies or procedures or otherwise reduce the likelihood of an effective control environment. In these circumstances the certifying officers should consider whether they can design compensating controls to prevent or detect management override and whether elements of the control environment assist in preventing or detecting management override. For example, directors with appropriate financial expertise and objectivity might be able to perform some compensating procedures to deter or detect an override. Such procedures could include reviewing adjusting entries that are made as part of the period-end financial reporting process or reviewing critical estimates or judgments with which the dominant individual is involved.
(d) Qualified personnel – Sufficient accounting and financial reporting expertise is necessary to ensure reliable financial reporting and the preparation of financial statements in accordance with the issuer’s GAAP. Some issuers might be unable to obtain qualified accounting personnel or outsourced expert advice on a cost effective basis. Even if an issuer obtains outsourced expert advice, the issuer might not have the internal expertise to understand or assess the quality of the outsourced advice. In either of these circumstances the certifying officers might conclude that the issuer lacks qualified personnel. However, additional involvement by the issuer’s audit committee or board of directors, with appropriate financial expertise, could provide a suitable control to address a lack of qualified personnel.
12
A reporting issuer’s external auditor might perform certain services (e.g., income tax, valuation or internal audit services) that compensate for skills which would otherwise be addressed by hiring qualified personnel or outsourcing expert advice from a party other than the external auditor. This type of arrangement should not be considered to be a component of the issuer’s ICFR. However, it could be one way for certifying officers to mitigate risks related to a reportable deficiency in ICFR due to a lack of qualified personnel.
6.11 ICFR design accommodation (1) Venture issuers – In designing ICFR, most venture issuers will be able to address the challenges described in section 6.10 of the Policy. However, some smaller venture issuers with few employees and limited financial resources might be unable to remediate a reportable deficiency relating to design without (i) incurring significant additional costs, (ii) hiring additional employees, or (iii) restructuring the board of directors and audit committee. In these circumstances, the venture issuer may rely on the ICFR design accommodation in section 2.2 of the Instrument provided it includes the disclosure in its MD&A that is required by subsection 2.2(b) of the Instrument. Section 8.7 of the Policy discusses the disclosure for venture issuers using the ICFR design accommodation.
(2) Non-venture issuers – Although only venture issuers may rely on the ICFR design accommodation in section 2.2 of the Instrument, a reporting issuer that is not a venture issuer may apply for relief from the securities regulatory authorities if it believes that it has a reportable deficiency relating to design that it cannot remediate without (i) incurring significant additional costs, (ii) hiring additional employees or (iii) restructuring the board of directors and audit committee.
6.12 Corporate governance for internal controls – As noted in National Policy 58-201 Corporate Governance Guidelines, the board of directors of an issuer is encouraged to consider adopting a written mandate to explicitly acknowledge responsibility for the stewardship of the issuer, including responsibility for internal control and management information systems. Issuers should consider this guideline in developing their ICFR.
6.13 Maintaining design – Following their initial development and implementation of DC&P and ICFR, and prior to certifying design each quarter, certifying officers should consider the following:
(a) whether the issuer faces any new risks and whether each design continues to provide a sufficient basis for the representations about reasonable assurance required in paragraph 5 of the certificates;
(b) the scope and quality of ongoing monitoring of DC&P and ICFR, including the extent, nature and frequency of reporting the results from the ongoing monitoring of DC&P and ICFR to the appropriate levels of management;
(c) the work of the issuer’s internal audit function; (d) communication, if any, with the issuer’s auditors in connection with an audit of financial statements; and
13
(e) the incidence of weaknesses in DC&P or reportable deficiencies in ICFR that have been identified at any time during the financial year.
6.14 Efficiency and effectiveness – In addition to the considerations set out in this Part that will assist certifying officers in appropriately designing DC&P and ICFR, other steps that certifying officers could take to enhance the efficiency and effectiveness of the designs are:
(a) embedding DC&P and ICFR in the issuer’s business processes; (b) implementing consistent policies and procedures and issuer-wide programs at all locations and business units;
(c) including processes to ensure that DC&P and ICFR are modified to adapt to any changes in business environment; and
(d) including procedures for reporting immediately to the appropriate levels of management any identified issues with DC&P and ICFR together with details of any action being undertaken or proposed to be undertaken to address such issues.
6.15 Documenting design (1) Extent and form of documentation for design – The certifying officers should generally maintain documentary evidence sufficient to provide reasonable support for their certification of design of DC&P and ICFR. The extent of documentation supporting the certifying officers’ design of DC&P and ICFR for each interim and annual certificate will vary depending on the size and complexity of the issuer’s DC&P and ICFR. The documentation might take many forms (e.g., paper documents, electronic, or other media) and could be presented in a number of different ways (e.g., policy manuals, process models, flowcharts, job descriptions, documents, internal memoranda, forms, etc). The extent and form of documentation is a matter of judgment.
(2) Documentation of the control environment - To provide reasonable support for the certifying officers’ design of DC&P and ICFR the certifying officers should generally document the key elements of an issuer’s control environment, including those described in subsection 6.6(2) of the Policy.
(3) Documentation for design of DC&P – To provide reasonable support for the certifying officers’ design of DC&P the certifying officers should generally document:
(a) the processes and procedures that ensure information is brought to the attention of management, including the certifying officers, in a timely manner to enable them to determine if disclosure is required; and
(b) the items listed in section 6.7 of the Policy. (4) Documentation for design of ICFR – To provide reasonable support for the certifying officers’ design of ICFR the certifying officers should generally document:
(a) the issuer’s ongoing risk assessment process and those risks which need to be addressed in order to conclude that the certifying officers have designed ICFR;
14
(b) how significant transactions, and significant classes of transactions, are initiated, authorized, recorded, processed and reported;
(c) the flow of transactions to identify when and how material misstatements or omissions could occur due to error or fraud;
(d) a description of the controls over relevant assertions related to all significant accounts and disclosures in the financial statements;
(e) a description of the controls designed to prevent or detect fraud, including who performs the controls and, if applicable, how duties are segregated;
(f) a description of the controls over period-end financial reporting processes; (g) a description of the controls over safeguarding of assets; and (h) the certifying officers’ conclusions on whether a reportable deficiency in ICFR relating to design exists at the end of the period;
PART 7 – EVALUATION OF DC&P AND ICFR 7.1 General – Most sections in this part apply to both an evaluation of the effectiveness of DC&P (DC&P evaluation) and an evaluation of the effectiveness of ICFR (ICFR evaluation); however, some sections apply specifically to an ICFR evaluation.
7.2 Scope of evaluation – The purpose of the DC&P and ICFR evaluations is to determine whether the issuer’s DC&P and ICFR designs are operating as intended. To support a conclusion that DC&P or ICFR is effective, certifying officers should obtain sufficient appropriate evidence that the components of DC&P and ICFR that they designed, or caused to be designed, are operating as intended. If the certifying officers choose not to use a top-down, risk-based approach to design, the evaluation could be limited to those controls that are necessary to address the risks that might reasonably result in a material misstatement.
Form 52-109F1 requires disclosure of any reportable deficiency relating to the operation of the issuer’s ICFR. Therefore, the scope of the ICFR evaluation must be sufficient to identify any such reportable deficiencies.
7.3 Judgment – The Instrument does not prescribe how the certifying officers should conduct their DC&P and ICFR evaluations. Certifying officers should exercise their judgment, acting reasonably and should apply their knowledge and experience in determining the nature and extent of the evaluation.
7.4 Knowledge, supervision and objectivity – Forms 52-109F1, 52-109FMP1, 52-109FM1 and 52-109F1 – IPO/RTO require the certifying officers to certify that they have evaluated, or supervised the evaluation of, the issuer’s DC&P. Form 52-109F1 also requires the certifying officers to certify that they have evaluated, or supervised the evaluation of the issuer’s ICFR. The individuals performing the evaluation should have the appropriate knowledge and ability to complete the evaluation procedures they perform.
15
Certifying officers should ensure that the evaluation is performed with the appropriate level of objectivity. Generally, the individuals who evaluate the effectiveness of specific controls or procedures should not be the same individuals who perform the specific controls or procedures.
7.5 Use of external auditor or other independent third party – The certifying officers might decide to use an independent third party to assist with their DC&P or ICFR evaluations. In these circumstances, the certifying officers should ensure that the individuals performing the agreed-upon evaluation procedures have the appropriate knowledge and ability to complete the procedures. The certifying officers should be actively involved in determining the procedures to be performed, the findings to be communicated and the manner of communication.
If an issuer chooses to engage its external auditor to assist the certifying officers in the DC&P and ICFR evaluations, the certifying officers should determine the procedures to be performed, the findings to be communicated and the manner of communication. The certifying officers should not rely on ICFR-related procedures performed and findings reported by the issuer’s external auditor solely as part of the financial statement audit. However, if the external auditor is separately engaged to perform specified ICFR-related procedures, the certifying officers might use the results of those procedures as part of their evaluation even if the auditor uses those results as part of the financial statement audit.
7.6 Evaluation tools – Certifying officers can use a variety of tools to perform their DC&P and ICFR evaluations. These tools include:
(a) certifying officers’ daily interaction with the control systems; (b) walkthroughs; (c) interviews of individuals who are involved with the relevant controls; (d) observation of procedures and processes, including adherence to corporate policies; (e) reperformance; and (f) review of documentation that provides evidence that controls, policies or procedures have been performed.
Certifying officers should use a combination of tools for the DC&P and ICFR evaluations. Although inquiry and observation alone might provide an adequate basis for an evaluation of an individual control with a lower risk, they will not provide an adequate basis for the evaluation as a whole.
The nature, timing and extent of evaluation procedures necessary for certifying officers to obtain reasonable support for the effective operation of a component of DC&P or ICFR depends on the level of risk the component of DC&P or ICFR is designed to address.
7.7 Certifying officers’ daily interaction – The certifying officers’ daily interaction with their control systems provides them with opportunities to evaluate the effectiveness of the issuer’s DC&P and ICFR during a financial year. This daily interaction could provide an adequate basis for the certifying officers’ evaluation of DC&P or ICFR if the operation of controls, policies and procedures is centralized and involves a limited number of personnel. Reasonable support of such
16
daily interaction would include memoranda, e-mails and instructions or directions from the certifying officers to other employees.
7.8 Walkthroughs – A walkthrough is a process of tracing a transaction from origination, through the issuer’s information systems, to the issuer’s financial reports. A walkthrough can assist certifying officers to confirm that:
(a) they understand the components of ICFR, including those components relating to the prevention or detection of fraud;
(b) they understand how transactions are processed; (c) they have identified all points in the process at which misstatements related to each relevant financial statement assertion could occur; and
(d) the components of ICFR have been implemented. 7.9 Reperformance (1) General – Reperformance is the independent execution of certain components of the issuer’s DC&P or ICFR that were performed previously. Reperformance could include inspecting records whether internal (e.g., a purchase order prepared by the issuer’s purchasing department) or external (e.g., a sales invoice prepared by a vendor), in paper form, electronic form or other media. The reliability of records varies depending on their nature, source and the effectiveness of controls over their production. An example of reperformance is inspecting whether the quantity and price information in a sales invoice agree with the quantity and price information in a purchase order, and confirming that an employee previously performed this procedure.
(2) Extent of reperformance – The extent of reperformance of a component of DC&P or ICFR is a matter of judgment. Components that are performed more frequently (e.g., controls for recording sales transactions) will generally require more testing than components that are performed less frequently (e.g., controls for monthly bank reconciliations). Components that are manually operated will likely require more rigorous testing than automated controls. Certifying officers could determine that they do not have to test every individual step comprising a control in order to conclude that the overall control is operating effectively.
(3) Reperformance for each evaluation – Certifying officers might find it appropriate to adjust the nature, extent and timing of reperformance for each evaluation. For example, in “year 1”, certifying officers might test information technology controls extensively while in “year 2”, they could focus on monitoring controls that identify changes made to the information technology controls. Certifying officers should consider the specific risks the controls address when making these types of adjustments. It might also be appropriate to test controls at different interim periods, increase or reduce the number and types of tests performed or change the combination of procedures used in order to introduce unpredictability into the testing and respond to changes in circumstances.
7.10 Timing of evaluation – Forms 52-109F1, 52-109FMP1, 52-109FM1 and 52-109F1 – IPO/RTO require certifying officers to certify that they have evaluated the effectiveness of the issuer’s DC&P, and Form 52-109F1 also requires them to certify that they have evaluated the effectiveness of ICFR, as at the financial year end. Certifying officers might choose to schedule testing of some DC&P and ICFR components throughout the issuer’s financial year. However,
17
since the evaluation is at the financial year end, the certifying officers will have to perform sufficient procedures to evaluate the operation of the components at year end. The timing of evaluation activities will depend on the risk associated with the components being evaluated and the tools used to evaluate the components.
7.11 Scope of evaluation for venture issuers relying on the ICFR design accommodation – If a venture issuer cannot reasonably remediate a reportable deficiency relating to design and relies on the ICFR design accommodation in section 2.2 of the Instrument, the issuer is still required to evaluate whether the other components of its ICFR are operating as intended.
For example, although a venture issuer could conclude that it has a reportable deficiency relating to design because it cannot achieve appropriate segregation of duties, it would still need to assess if the other components of its ICFR are working as intended. This would include an evaluation of the effectiveness of the issuer’s control environment, whether the issuer has appropriate board expertise or accounting personnel and an evaluation of other components that are not directly affected by the lack of segregation of duties.
7.12 Documenting evaluations (1) Extent of documentation for evaluation – The certifying officers should generally maintain documentary evidence sufficient to provide reasonable support for their certification of a DC&P and ICFR evaluation. The extent of documentation used to support the certifying officers’ evaluations of DC&P and ICFR for each annual certificate will vary depending on the size and complexity of the issuer’s DC&P and ICFR. The extent of documentation is a matter of judgment.
(2) Documentation for evaluations of DC&P and ICFR – To provide reasonable support for a DC&P or ICFR evaluation the certifying officers should generally document the following:
(a) a description of the process the certifying officers used to evaluate DC&P or ICFR;
(b) how the certifying officers determined the extent of testing of the components of DC&P or ICFR;
(c) a description of, and results from applying, the evaluation tools discussed in sections 7.6 and 7.7 of the Policy or other evaluation tools; and
(d) the certifying officers’ conclusions about the following: (i) the effectiveness of DC&P or ICFR, as applicable; and (ii) whether a reportable deficiency in ICFR relating to operation existed as at the end of the period.
18
PART 8 – IDENTIFICATION AND DISCLOSURE OF A REPORTABLE DEFICIENCY 8.1 ICFR – reportable deficiency (1) Definition – The definition of reportable deficiency refers to a deficiency in the design or operation of one or more controls. If the certifying officers identify more than one reportable deficiency, the issuer should provide a description of each reportable deficiency in the interim or annual MD&A.
The definitions of ICFR and reportable deficiency refer to the reliability of financial reporting and the preparation of an issuer’s financial statements in accordance with the issuer’s GAAP. The Instrument does not define these phrases. In order to have reliable financial reporting, there must be no misrepresentation in the annual or interim filings. In order for an issuer’s financial statements to be prepared in accordance with the issuer’s GAAP, there must be no material misstatement in the issuer’s annual or interim financial statements.
(2) Conclusions of effectiveness if a reportable deficiency exists – If the certifying officers identify a reportable deficiency relating to design or operation existing at the period end date, the certifying officers could not conclude that the issuer’s ICFR is effective.
(3) Reportable deficiency relating to design – A reportable deficiency relating to design exists when the certifying officers determine that a deficiency, or combination of deficiencies, in the design of one or more controls would cause a reasonable person to doubt that the design of ICFR provides reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with the issuer’s GAAP. A reportable deficiency relating to design will exist as at the period end if:
(a) the design of ICFR does not include a component of ICFR that is needed to provide reasonable assurance;
(b) an existing component of ICFR is designed so that, even if the component operates as designed, ICFR as a whole does not provide reasonable assurance; or
(c) a component of ICFR has not been implemented. (4) Reportable deficiency relating to operation – A reportable deficiency relating to operation exists when a properly designed component of ICFR does not operate as intended, and therefore would cause a reasonable person to doubt that ICFR provides reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with the issuer’s GAAP. For example, if an issuer’s ICFR design requires two individuals to sign a cheque in order to authorize a cash disbursement and the certifying officers conclude that this process is not being followed consistently, the control may be designed properly but is deficient in its operation.
If a reportable deficiency relating to operation continues to exist, the certifying officers should consider whether the deficiency initially relating to operation has become a reportable deficiency relating to design.
8.2 Assessing significance of deficiencies in ICFR – If a deficiency or combination of deficiencies in the design or operation of one or more controls is identified, certifying officers should assess the significance of the deficiency, or combination of deficiencies, to determine if a reportable
19
deficiency exists. Their assessment should generally include both qualitative and quantitative analyses. Among other things, a qualitative analysis of deficiencies involves assessing:
(a) the nature of each deficiency or combination of deficiencies; (b) the cause of each deficiency or combination of deficiencies; (c) the relevant assertion the component of ICFR was designed to address, if applicable; (d) the relationship of each deficiency or combination of deficiencies to elements of the control environment, including tone at the top, assignment of authority and responsibility, consistent policies and procedures and issuer-wide programs that apply to all locations and business units;
(e) whether any other controls effectively compensate for the deficiency or combination of deficiencies; and
(f) the potential effect of each deficiency or combination of deficiencies on annual and interim financial statements.
8.3 Strong indicators of a reportable deficiency – Certifying officers should use their judgment to determine whether a reportable deficiency exists. Strong indicators of a reportable deficiency include:
(a) an ineffective control environment. Circumstances that may indicate that the issuer’s control environment is ineffective include:
(i) identification of any fraud on the part of senior management; (ii) control deficiencies that have been identified and remain unaddressed after some reasonable period of time; and
(iii) ineffective oversight of the issuer’s external financial reporting and ICFR by the company’s audit committee;
(b) refiling of an issuer’s annual or interim filings because of a material misstatement in its filings;
(c) identification by the issuer’s external auditor of a material misstatement; and (d) for complex entities in highly regulated industries, an ineffective regulatory compliance function. This relates solely to those aspects of the ineffective regulatory compliance function in which associated violations of laws and regulations could have a material effect on the reliability of financial reporting.
8.4 Disclosure of a reportable deficiency in ICFR relating to design (1) Disclosure of a reportable deficiency in ICFR relating to design – If the certifying officers become aware of a reportable deficiency relating to the design of ICFR that existed at the end of the annual or interim period and the issuer is not able to rely on the ICFR design accommodation for venture issuers in section 2.2 of the Instrument, the certifying officers might be able to certify
20
that they have designed ICFR if the issuer has committed to a remediation plan to address the reportable deficiency relating to design prior to filing the certificate.
In these circumstances, the certifying officers should include paragraph 5.2 in Form 52-109F1, 52-109FMP1 or 52-109F2, as applicable. In accordance with subparagraphs 5.2(b) and 5.2(c), the issuer’s annual or interim MD&A should describe the reportable deficiency, the remediation plan to address any reportable deficiency relating to design that existed at the end of the annual or interim period, and the completion date or expected completion date of such plan. The certifying officers would only be in a position to provide the required certificates if the issuer has committed to a remediation plan to address the reportable deficiency relating to design before the date the certifying officers sign the certificates.
(2) Disclosure of effectiveness of ICFR if the issuer has committed to a remediation plan to address a reportable deficiency relating to design – The certifying officers might determine that they are able to certify the design of ICFR because the issuer has committed to a remediation plan prior to filing the certificate; however the issuer would still have a reportable deficiency relating to design existing at the period end date. If the certifying officers are also required to evaluate the effectiveness of the issuer’s ICFR at the financial year end and disclose their conclusions in the issuer’s MD&A, as required by subparagraph 6(b)(i) of Form 52-109F1, they could not conclude that the issuer’s ICFR are effective since a reportable deficiency relating to design existed at the financial year end.
8.5 Disclosure of a reportable deficiency in ICFR relating to operation (1) Disclosure of a reportable deficiency in ICFR relating to operation – If the certifying officers become aware of a reportable deficiency relating to the operation of ICFR that existed at the financial year end, the issuer’s annual MD&A should describe the reportable deficiency and the issuer’s plans, if any, to remediate the reportable deficiency as required by subparagraphs 6(b)(iii) and (iv) of Form 52-109F1.
(2) Satisfaction of disclosure requirements in annual MD&A – If the certifying officers are able to conclude they can certify the design of ICFR because the issuer has committed to a remediation plan to address the reportable deficiency relating to design prior to filing the certificate, then the issuer would have a reportable deficiency relating to operation since the component, or combination of components, included in the remediation plan to address the reportable deficiency relating to design were not operating as intended at the financial year end. In such a case, the disclosure required by paragraph 5.2 of Form 52-109F1 to be included in the issuer’s annual MD&A will also satisfy the issuer’s disclosure requirements in subparagraphs 6(b)(iii) and 6(b)(iv) of the Form.
8.6 Reporting of changes in ICFR after remediation – Once an issuer has completed its remediation it will need to disclose information about the resulting change in the issuer’s ICFR in its next annual or interim MD&A as required by paragraph 7 of Form 52-109F1 or 52-109FMP1, as applicable, and paragraph 6 of Form 52-109F2.
8.7 Disclosure for venture issuers relying on the ICFR design accommodation (1) ICFR design accommodation – If the certifying officers of a venture issuer become aware of a reportable deficiency relating to design that exists at the end of the applicable period and the venture issuer determines that it cannot reasonably remediate the reportable deficiency, it may rely on the ICFR design accommodation for venture issuers in section 2.2 of the Instrument. The
21
ICFR design accommodation enables a venture issuer to disclose a reportable deficiency relating to design but does not eliminate an issuer’s obligation to design ICFR.
(2) Required disclosure – If the venture issuer relies on the ICFR design accommodation, the certifying officers are required to include paragraph 5.3 in Form 52-109F1, 52-109FMP1 or 52-109F2, as applicable, which states that the issuer’s annual or interim MD&A discloses:
(a) a description of the reportable deficiency relating to design existing at the end of the period;
(b) why the issuer cannot reasonably remediate the reportable deficiency; (c) the risks the issuer faces relating to the reportable deficiency; and (d) whether the issuer has mitigated those risks and if so, how. When describing why it cannot reasonably remediate the reportable deficiency the issuer should explain what steps would be required to remediate the deficiency and why it cannot reasonably perform these steps, as discussed in subsection 6.11(1) of the Policy.
If a venture issuer identifies a reportable deficiency relating to design it might mitigate the risks associated with that reportable deficiency by having its directors expand their general inquiries with management to specific areas of financial reporting. The additional inquiries might not be sufficient to represent a control, however this form of additional oversight could be a mitigating strategy. A venture issuer could also mitigate the risks associated with a reportable deficiency by having its external auditor perform additional procedures, for example a review of the issuer’s interim financial statements. Other services performed by an external auditor that could mitigate risks related to a reportable deficiency are discussed in subsection 6.10(d) of the Policy.
(3) Ongoing disclosure if reportable deficiency relating to design continues to exist – When a venture issuer relies on the ICFR design accommodation the certifying officers are required to include paragraph 5.3 in Form 52-109F1, 52-109FMP1 or 52-109F2, as applicable, for each period that the reportable deficiency relating to design exists. The issuer should make the disclosure relating to the ICFR design accommodation in each annual or interim MD&A. A reference to previous disclosure about the ICFR design accommodation would not be sufficient to meet the disclosure requirements.
22
PART 9 – ROLE OF BOARD OF DIRECTORS AND AUDIT COMMITTEE 9.1 Board of directors – All of the forms other than Forms 52-109F2 and 52-109F2 – IPO/RTO require the certifying officers to represent that the issuer has disclosed in its annual MD&A certain information about the certifying officers’ evaluation of the effectiveness of DC&P. Form 52-109F1 also requires the certifying officers to represent that the issuer has disclosed in its annual MD&A certain information about the certifying officers’ evaluation of the effectiveness of ICFR. Under NI 51-102, the board of directors must approve the issuer’s annual MD&A, including the required disclosure concerning DC&P and ICFR, before it is filed. To provide reasonable support for the board of directors’ approval of an issuer’s MD&A disclosure concerning ICFR, including any reportable deficiencies, the board of directors should understand the basis upon which the certifying officers concluded that any particular deficiency or combination of deficiencies did or did not constitute a reportable deficiency (see section 8.2).
9.2 Audit committee – MI 52-110 requires the audit committee to review an issuer’s financial disclosure and to establish procedures for dealing with complaints and concerns about accounting or auditing matters. Issuers subject to MI 52-110 should consider its specific requirements in designing and evaluating their DC&P and ICFR.
9.3 Reporting of fraud – Paragraph 8 of Form 52-109F1 requires certifying officers to disclose to the issuer’s auditors, the board of directors and the audit committee of the board of directors any fraud that involves management or other employees who have a significant role in the issuer’s ICFR. The term “fraud” refers to an intentional act by one or more individuals among management, other employees, those charged with governance or third parties, involving the use of deception to obtain an unjust or illegal advantage.
Two types of intentional misstatements are (i) misstatements resulting from fraudulent financial reporting and (ii) misstatements resulting from misappropriation of assets. Fraudulent financial reporting involves intentional misstatements, including omissions of amounts or disclosures in financial statements, to deceive financial statement users.
PART 10 – SUBSIDIARIES, VARIABLE INTEREST ENTITIES, PROPORTIONATELY CONSOLIDATED ENTITIES, EQUITY INVESTMENTS AND PORTFOLIO INVESTMENTS
10.1 Underlying entities – An issuer might have a variety of long term investments that affect how the certifying officers design and evaluate the effectiveness of the issuer’s DC&P and ICFR. In particular, an issuer could have any of the following interests:
(a) an interest in an entity that is a subsidiary which is consolidated in the issuer’s financial statements;
(b) an interest in an entity that is a variable interest entity (a VIE) which is consolidated in the issuer’s financial statements;
(c) an interest in an entity that is proportionately consolidated in the issuer’s financial statements;
(d) an interest in an entity that is accounted for using the equity method in the issuer’s financial statements (an equity investment); or
23
(e) an interest in an entity that is accounted for using the cost method in the issuer’s financial statements (a portfolio investment).
In this part, the term entity is meant to capture a broad range of structures, including, but not limited to, corporations. The terms “consolidated”, “subsidiary”, “VIE”, “proportionately consolidated”, “equity method” and “cost method” have the meaning ascribed to such terms under the issuer’s GAAP. In this part, the term “underlying entity” refers to one of the entities referred to in items (a) through (e) above.
10.2 Fair presentation – As discussed in section 4.1 of the Policy, the concept of fair presentation is not limited to compliance with the issuer’s GAAP. If the certifying officers believe that an issuer’s financial statements do not fairly present its financial condition insofar as it relates to an underlying entity, the certifying officers should cause the issuer to provide additional disclosure in its MD&A.
10.3 Design and evaluation of DC&P and ICFR (1) Access to underlying entity – The nature of an issuer’s interest in an underlying entity will affect the certifying officer’s ability to design and evaluate the effectiveness of the controls, policies and procedures carried out by the underlying entity.
Subsidiary – Subject to Part 11 of the Policy, in the case of an issuer with an interest in a subsidiary, as the issuer controls the subsidiary, certifying officers will have sufficient access to the subsidiary to design and evaluate the effectiveness of the controls, policies and procedures carried out by the underlying entity.
Proportionately consolidated entity or VIE – In the case of an issuer with an interest in a proportionately consolidated entity or a VIE, certifying officers might not always have sufficient access to the underlying entity to design and evaluate the effectiveness of the controls, policies and procedures carried out by the underlying entity.
Whether the certifying officers have sufficient access to a proportionately consolidated entity or a VIE to design and evaluate the effectiveness of the controls, policies and procedures carried out by the underlying entity is a question of fact. The sufficiency of their access could depend on, among other things:
(a) the issuer’s percentage ownership of the underlying entity; (b) whether the other underlying entity owners are reporting issuers; (c) the nature of the relationship between the issuer and the operator of the underlying entity if the issuer is not the operator;
(d) the terms of the agreement(s) governing the underlying entity; and (e) the date of creation of the underlying entity. Portfolio investment or equity investment – In the case of an issuer with a portfolio investment or an equity investment, certifying officers will generally not have sufficient access to the underlying entity to design and evaluate the effectiveness of the controls, policies and procedures carried out by the underlying entity.
24
(2) Reasonable steps to design and evaluate – Certifying officers should take all reasonable steps to design and evaluate the effectiveness of the controls, policies and procedures carried out by the underlying entity that provide the certifying officers with a basis for the representations in the annual and interim certificates. However, it is left to the discretion of the certifying officers, acting reasonably, to determine what constitutes “reasonable steps”.
(3) Remediation – If the certifying officers have access to the underlying entity to design the controls, policies and procedures for ICFR discussed in subsection (2) and they are not satisfied with those controls, policies and procedures, the certifying officers should consider whether a reportable deficiency exists. If the issuer cannot reasonably remediate the reportable deficiency and is eligible to rely on the ICFR design accommodation under section 2.2 of the Instrument, the issuer is not required to have a remediation plan but must provide the disclosure required by paragraph 5.3 of Form 52-109F1, 52-109FMP1 or 52-109F2. If the issuer cannot rely on the ICFR design accommodation and does not have sufficient time to complete remediation prior to filing the annual or interim certificate the certifying officers might be able to certify the design of ICFR if the issuer has committed to a remediation plan to address the outstanding reportable deficiency and discloses information about the remediation plan as required by paragraph 5.2 of Form 52-109F1, 52-109FMP1 or 52-109F2, as applicable.
(4) Disclosure of scope limitation relating to a proportionately consolidated entity or VIE – A scope limitation exists if the certifying officers do not have sufficient access to a proportionately consolidated entity or VIE to design and evaluate the controls, policies and procedures carried out by the underlying entity that would provide the certifying officers with a basis for the representations in the annual or interim certificates. This scope limitation and summary financial information about the underlying entity must be disclosed in the issuer’s MD&A in accordance with section 2.3 of the Instrument. Meaningful summary financial information of the underlying entity that has been proportionately consolidated or consolidated in the issuer’s financial statements would include:
(a) sales or revenues; (b) income or loss before discontinued operations and extraordinary items; (c) net income or loss for the period; and unless (i) the accounting principles used to prepare the financial statements of the underlying entity permit the preparation of its balance sheet without classifying assets and liabilities between current and non-current, and (ii) the MD&A includes alternative meaningful financial information about the underlying entity which is more appropriate to the underlying entity’s industry,
(d) current assets; (e) non-current assets; (f) current liabilities; and (g) non-current liabilities. Meaningful disclosure about the underlying entity would also include the issuer’s share of any contingencies and commitments for the proportionately consolidated entity or VIE, and the
25
issuer’s responsibility for any other interest holder’s share of the contingencies for the proportionately consolidated entity or VIE.
(5) Limited access to the underlying entity of a portfolio investment or equity investment – Where the certifying officers might not have access to design and evaluate controls, policies and procedures carried out by the underlying entity of a portfolio investment or equity investment the issuer’s DC&P and ICFR should address the issuer’s disclosure relating to:
(a) the carrying amount of the investment; (b) any dividends the issuer receives from the investment; (c) any required impairment charge related to the investment; and (d) if applicable, the issuer’s share of any income/loss from the equity investment. (6) Reliance on financial information of underlying entity – We recognize that, in most cases, certifying officers will have to rely on the financial information reported by a proportionately consolidated entity, VIE or the underlying entity of an equity investment. In order to certify an issuer’s annual or interim filings that include information regarding the issuer’s investment in these underlying entities, the certifying officers should perform the following minimum procedures:
(a) ensure that the issuer receives the underlying entity’s financial information on a timely basis;
(b) review the underlying entity’s financial information to determine whether it has been prepared in accordance with the issuer’s GAAP; and
(c) review the underlying entity’s accounting policies and evaluate whether they conform to the issuer’s accounting policies.
PART 11 – BUSINESS ACQUISITIONS 11.1 Access to acquired business – Generally, certifying officers will have sufficient access to design controls, policies and procedures carried out by an acquired business. We acknowledge however, that it might not be feasible to design or evaluate such controls, policies and procedures for a business acquired during the last 90 days of an issuer’s annual or interim period.
Whether it is feasible for certifying officers to design or evaluate the controls, policies and procedures carried out by a business acquired during the last 90 days of an issuer’s annual or interim period is a question of fact. It could depend on, among other things:
(a) whether the business acquired has been subject to (i) the Instrument or substantially similar requirements regarding an evaluation of internal controls, or (ii) the Sox 302 Rules and the Sox 404 Rules;
(b) the size and complexity of the business acquired; (c) the terms of the acquisition agreement; 26
(d) the length of time between the date of the acquisition agreement, the closing date of the acquisition and the end of the issuer’s annual or interim period; and
(e) whether the business was acquired under a hostile take-over bid. 11.2 Disclosure of scope limitation – If it is not feasible for the certifying officers to design the controls, policies and procedures carried out by a business acquired within the last 90 days of an issuer’s annual or interim period that would provide the certifying officers with a basis for the representations in the annual or interim certificate, this scope limitation and summary financial information of the business must be disclosed in an issuer’s MD&A in accordance with section 2.3 of the Instrument and paragraph 5.4 in Form 52-109F1, 52-109FMP1 or 52-109F2, or paragraph 5.1 in Form 52-109FM1, 52-109F1 – IPO/RTO or 52-109F2 – IPO/RTO, as applicable. Meaningful summary financial information of the acquired business would include:
(a) sales or revenues; (b) income or loss before discontinued operations and extraordinary items; (c) net income or loss for the period; and unless (i) the accounting principles used to prepare the financial statements of the acquired business permit the preparation of its balance sheet without classifying assets and liabilities between current and non-current, and (ii) the MD&A includes alternative meaningful financial information about the acquired business which is more appropriate to the acquired business’ industry,
(d) current assets; (e) non-current assets; (f) current liabilities; and (g) non-current liabilities. Meaningful disclosure about the acquired business would also include the issuer’s share of any contingencies and commitments, which arise as a result of the acquisition.
PART 12 – EXEMPTIONS 12.1 Issuers that comply with U.S. laws – Under National Instrument 52-107 Acceptable Accounting Principles, Auditing Standards and Reporting Currency, certain Canadian issuers may prepare their financial statements in accordance with accounting principles other than Canadian GAAP. However, some Canadian issuers might choose to prepare two sets of financial statements and file their Canadian GAAP statements in the applicable jurisdictions. In order to ensure that the Canadian GAAP financial statements are certified (under either the Instrument or Sox 302 Rules), those issuers will not have recourse to the exemptions in sections 7.1 and 7.2 of the Instrument.
27
PART 13 – LIABILITY FOR CERTIFICATES CONTAINING MISREPRESENTATIONS 13.1 Liability for certificates containing misrepresentations – A certifying officer providing a certificate containing a misrepresentation potentially could be subject to quasi-criminal, administrative or civil proceedings under securities law.
A certifying officer providing a certificate containing a misrepresentation could also potentially be subject to private actions for damages either at common law or, in Québec, under civil law, or under the statutory civil liability regimes in certain jurisdictions.
PART 14 – TRANSITION 14.1 Representations regarding DC&P and ICFR following the transition periods – If an issuer files an annual certificate in Form 52-109F1, 52-109FM1, 52-109FMP1 or 52-109F1 – IPO/RTO or an interim certificate in Form 52-109F2 or 52-109F2 – IPO/RTO that includes representations regarding DC&P or ICFR, these representations would not extend to the prior period comparative information included in the annual filings or interim filings if:
(a) the prior period comparative information was previously the subject of certificates that did not include these representations; or
(b) no certificate was required for the prior period. 28