Proposed Replacement of Instrument Relating to Internal Control Reporting and Certification Requirements

On March 30, 2007, the Canadian Securities Administrators (CSA) released for comment a revised National Instrument (NI) 52-109 - Certification of Disclosures in Issuers’ Interim and Annual Filings. The revised proposals sets out the CSA’s approach for reporting on the effectiveness on internal control over financial reporting (ICFR). To understand what this means and its implications, we asked Horwath Orenstein LLP.

The new proposals are effective for year-ends ending on or after June 30th 2008. In addition to the current certification requirements in place, key points that will have a significant impact on senior management are CEOs and CFOs are required to:

• evaluate the effectiveness of the issuer’s ICFR as of year end and disclose their conclusions in the annual MD&A
• disclose in the issuer’s annual MD&A the process for evaluating the effectiveness of ICFR
• disclose in the issuer’s MD&A reportable deficiencies in the design and operation of ICFR
• identify in the issuer’s annual MD&A the control framework used to design ICFR, or the fact that no framework was used
• disclose to the external auditors, board of directors and audit committee any fraud that involves management or employees involved in the issuer’s ICFR

In addition, the CSA also released Companion Policy NI 52-109CP which provides guidance on the design and evaluation of DC&P and ICFR. The proposed guidance suggests a top-down, risk-based approach for management to identify significant accounts and processes, determine financial reporting assertions, and evaluate the design of the components of ICFR.

What Are the Implications of the CSA Approach for Senior Management?

• CEOs and CFOs are now required to conduct an evaluation of their ICFR and conclude on its design and operating effectiveness based on a risk-based, systematic, and disciplined review process with sufficient documentation prepared to support their conclusions.
• It is not sufficient for CEOs and CFOs to rely on the internal control audit review performed by the external auditors as part of the year-end audit for the basis of their conclusion on the effectiveness of ICFR. The CEO and CFO are required to perform their own independent and objective review. The external auditor’s review of internal controls can be used to corroborate senior management’s conclusions, not replace it.
• The review of ICFR should be based on an internal control framework in order to evaluate the overall effectiveness of the design of the issuer’s internal controls. The most common internal control frame work is the Committee of Sponsoring Organizations (COSO) – Internal Control over Financial Reporting.
• Sufficient due diligence should be performed during the review process to support senior management’s assertion that a robust investigation was performed on the effectiveness of ICFR and at a minimum, meets the CSA Companion Policy NI 52-109CP requirements for certification.
• The review of ICFR should consider the possibility of fraud as it relates to individuals responsible for internal controls and corporate governance.\
• The audit committee should understand senior management’s review process for ICFR and ensure that reportable deficiencies are appropriately disclosed in the MD&A. This is particularly important given the civil liability action provisions of Bill 198 for secondary market disclosure.

180 View – If you have questions, we suggest you call Rob Crawford, who is the Director of Risk Management Services at Horwath Orenstein LLP. Robert can be reached at 416-596-6767 Ext 252