Proposed Replacement of Instrument Relating to Internal Control Reporting and Certification Requirements

On March 30, 2007, the Canadian Securities Administrators (CSA) released for comment a revised National Instrument (NI) 52-109 - Certification of Disclosures in Issuers’ Interim and Annual Filings. The revised proposals sets out the CSA’s approach for reporting on the effectiveness on internal control over financial reporting (ICFR). To understand what this means and its implications, we asked Horwath Orenstein LLP.

The new proposals are effective for year-ends ending on or after June 30th 2008. In addition to the current certification requirements in place, key points that will have a significant impact on senior management are CEOs and CFOs are required to:

• evaluate the effectiveness of the issuer’s ICFR as of year end and disclose their conclusions in the annual MD&A
• disclose in the issuer’s annual MD&A the process for evaluating the effectiveness of ICFR
• disclose in the issuer’s MD&A reportable deficiencies in the design and operation of ICFR
• identify in the issuer’s annual MD&A the control framework used to design ICFR, or the fact that no framework was used
• disclose to the external auditors, board of directors and audit committee any fraud that involves management or employees involved in the issuer’s ICFR

In addition, the CSA also released Companion Policy NI 52-109CP which provides guidance on the design and evaluation of DC&P and ICFR. The proposed guidance suggests a top-down, risk-based approach for management to identify significant accounts and processes, determine financial reporting assertions, and evaluate the design of the components of ICFR.

What Are the Implications of the CSA Approach for Senior Management?

• CEOs and CFOs are now required to conduct an evaluation of their ICFR and conclude on its design and operating effectiveness based on a risk-based, systematic, and disciplined review process with sufficient documentation prepared to support their conclusions.
• It is not sufficient for CEOs and CFOs to rely on the internal control audit review performed by the external auditors as part of the year-end audit for the basis of their conclusion on the effectiveness of ICFR. The CEO and CFO are required to perform their own independent and objective review. The external auditor’s review of internal controls can be used to corroborate senior management’s conclusions, not replace it.
• The review of ICFR should be based on an internal control framework in order to evaluate the overall effectiveness of the design of the issuer’s internal controls. The most common internal control frame work is the Committee of Sponsoring Organizations (COSO) – Internal Control over Financial Reporting.
• Sufficient due diligence should be performed during the review process to support senior management’s assertion that a robust investigation was performed on the effectiveness of ICFR and at a minimum, meets the CSA Companion Policy NI 52-109CP requirements for certification.
• The review of ICFR should consider the possibility of fraud as it relates to individuals responsible for internal controls and corporate governance.\
• The audit committee should understand senior management’s review process for ICFR and ensure that reportable deficiencies are appropriately disclosed in the MD&A. This is particularly important given the civil liability action provisions of Bill 198 for secondary market disclosure.

180 View – If you have questions, we suggest you call Rob Crawford, who is the Director of Risk Management Services at Horwath Orenstein LLP. Robert can be reached at 416-596-6767 Ext 252

CEO challenge

January-February 2007 from CAmagazine – “Since 2004, three waves of CEO and CFO certification have washed over corporate Canada, and there are more to come. All are aimed at restoring investor confidence in financial reporting and related controls by improving accountability and transparency — terms seldom heard during the ’90s, a time of heady growth, but which, since 2001, have resurfaced as key business, governance and disclosure principles.

Certification was introduced to Canada in 2004 when the Canadian Securities Administrators (CSA) required the CEO and CFO of a reporting issuer to certify the financial information in quarterly and annual filings. In 2005, that was expanded to include certification about disclosure controls and procedures. Last year, the third wave arrived. It requires certifying officers of TSX and TSX-V issuers to file the full annual certificate for financial years ending on or after June 30, 2006 — which, for many reporting issuers, means the calendar year ended December 31, 2006.

The full annual certificate in CSA Multilateral Instrument 52-109 expands the certification to require CEOs and CFOs to state they have “designed such internal control over financial reporting, or caused it to be designed under our supervision, to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with the issuer’s GAAP.”

In addition, they are required to certify that the annual Management’s Discussion and Analysis (MD&A) discloses any changes in internal control over financial reporting (ICFR) that occurred in the latest interim reporting period that have materially affected, or could materially affect, the ICFR.

This third wave of certification applies only to the design of ICFR, not its operating effectiveness. That will be introduced in a fourth wave of certification, yet to come…"

The Next Wave of Certification provides a straightforward, business-focused, top-down and risk-based approach for CEOs and CFOs to follow in assessing and certifying the design of ICFR. This approach will also help companies prepare for the future evaluation of the effectiveness of ICFR...

The September 2006 CICA publication Internal Control 2006: The Next Wave of Certification provides a straightforward, business-focused, top-down and risk-based approach for CEOs and CFOs to follow in assessing and certifying the design of ICFR. This approach will also help companies prepare for the future evaluation of the effectiveness of ICFR.

180 View – Note that requirements kick in “for financial years ending on or after June 30, 2006”. Also note that the certification is limited to design and not operating effectiveness, which means that the most onerous work required in the US under Sarbanes-Oxley is not required in Canada – at least not yet. But because of the backlash by public companies related to the cost of Sarbanes-Oxley compliance, the U.S. may water down their compliance requirements to be similar to Canada.

The article later goes on to say “The Next Wave of Certification provides a straightforward, business-focused, top-down and risk-based approach.” Straightforward sounds great in principle, but it’s not clear what is meant by it. Risk-based leads to efficiency in that there is no point on spending time unnecessarily if risks are minimal. Business focus means “companies should view their assessment of ICFR (Internal Control over Financial Reporting) as a business improvement opportunity, not just a regulatory compliance task.”

Multilateral Instrument 52-109 and Bill 198

October 17, 2006 from Horwath Orenstein LLP – “In a noteworthy development, separate statements of claim have recently been filed by Marvin Neil Silver and Cliff Cohen, both would-be plaintiffs in a proposed class action against Imax Corporation and certain directors and officers of the company. Silver’s claim is the first (by a day – Cohen’s followed hard on its heels) to invoke the secondary- market liability provisions that were recently added to the Securities Act (Ontario) under Bill 198...

Multilateral Instrument 52-109 and proposed amendments setting out reporting criteria required for 2006, 2007, and beyond, combined with Bill 198, has significant implications for Audit Committees, Directors and senior management of reporting issuers. The intent of these new rules and regulations is to improve governance and rebuild corporate credibility through accurate, reliable, and timely communication of information to shareholders. The announcement of the above class action is evidence that Bill 198 is a reality, and public issuers must ensure that they have exercised due diligence with respect to the company’s “Disclosure Controls and Procedures” and “Internal Controls over Financial Reporting”, under the certification requirements of Multilateral Instrument 52-109.

Multilateral Instrument 52-109 requires CEOs and CFOs of all Canadian publicly listed companies to certify:
a) The design and implementation of “Disclosure Controls and Procedures” for both interim and annual filings on or after March 31, 2005
b) The design and implementation of “Internal Control over Financial Reporting” for both interim and annual filings on or after June 30, 2006 (subject to transitional rules)
c) The evaluation of the effectiveness of “Disclosure Controls and Procedures” and have concluded on their effectiveness in the Management Discussion and Analysis accompanying their annual report for year ends ending on or after March 31, 2005
d) The disclosure of material changes in the “Internal Control over Financial Reporting” that occurred during the most recent interim period in the Management Discussion and Analysis accompanying their interim or annual report for periods ending on or after June 30, 2006

In addition, for years ending on or after December 31, 2007, CEOs and CFOs are required to certify on the evaluation of “Internal Controls over Financial Reporting”, and provide their conclusions on their effectiveness, including a discussion on the method for evaluating their effectiveness in the Management Discussion and Analysis accompanying the annual report...”