On February 4, 2005, members of the Canadian Securities Administrators (the CSA), other than British Columbia, published for a 120-day comment period proposed Multilateral Instrument 52-111 Reporting on Internal Control over Financial Reporting (the Proposed Internal Control Instrument) and a related companion policy (collectively, the Proposed Internal Control Materials). The CSA also published an instrument to revise Multilateral Instrument 52-109 Certification of Disclosure in Issuers' Annual and Interim Filings (the Revised Certification Instrument), the certification forms and the related companion policy (collectively, the Revised Certification Material).

The objective of the proposals set out in the Proposed Internal Control Materials and the Revised Certification Materials is to improve the quality and reliability of financial and other continuous disclosure reporting by reporting issuers. The CSA believe that this in turn will help to maintain and enhance investor confidence in the integrity of Canadian capital markets.

The Proposed Internal Control Materials and the Revised Certification Materials will also lend support to various other initiatives developed by the CSA by requiring issuers to develop appropriate systems that provide reasonable assurance regarding the reliability of disclosure made by issuers.

The Proposed Internal Control Instrument will impose the following requirements in addition to the requirements of the Revised Certification Materials:

  • an evaluation of the effectiveness of internal control over financial reporting against a suitable control framework;
  • maintenance of evidence providing reasonable support for the evaluation of the effectiveness of internal control over financial reporting;
  • reporting of material weaknesses in internal control over financial reporting; and
  • an audit of internal control over financial reporting.

These requirements are similar to those under the SOX 404 Rules adopted by the SEC in connection with the U.S. Sarbanes-Oxley law.

American experience to date with the implementation of the SOX 404 Rules has proven very expensive. Issuers have had to allocate substantial resources, both monetary and personnel, to implement the required procedures. New software had to be developed or purchased, andissuers were also faced with hefty hikes in audit fees and other expenses, including service or consulting fees for implementing the required procedures.

The Revised Certification Instrument will harmonize the current certification requirements with those imposed by the SOX 302 Rules for all reporting issuers that are subject to the Proposed Internal Control Instrument.

Scope of Application

The Proposed Internal Control Instrument applies to all reporting issuers other than investment funds and venture issuers. In contrast, the Revised Certification Instrument applies to all reporting issuers other than investment funds. As a result, venture issuers are subject to the requirements of the Revised Certification Instrument, but are not required to comply with the Proposed Internal Control Instrument.

Effective Dates and Transition Periods

The provisions regarding internal control reports and internal control audit reports will be phased in over four years, starting with financial years ending on or after June 30, 2006. The implementation dates are based on the market capitalisation of issuers calculated on the basis of a twenty-trading-day weighted average as of June 30, 2005 (with an exception for an issuer who becomes a reporting issuer or ceases to be a venture issuer after that date).

The table below sets out the implementation dates, which are being phased in to provide issuers time to prepare for compliance with the requirements and to ensure that adequate resources are available.

Issuer’s Market
Capitalization

First Year-end to
which reporting
requirements apply

$500,000,000 or more

June 30, 2006

$250,000,000 or more
but less than $500,000,000

June 30, 2007

$75,000,000 or more
but less than $250,000,000

June 30, 2008

less than $75,000,000

June 30, 2009

Management's Assessment of Internal Control Effectiveness

The Proposed Internal Control Instrument requires management of every issuer, with the participation of the certifying officers, to evaluate the effectiveness of the issuer's internal control over financial reporting as of the end of the issuer's financial year.

Definition of "Management"

The Proposed Internal Control Instrument intentionally does not define "management." The CSA believe that it should be left to the discretion of the certifying officers, acting reasonably, to determine the other members of management for the purposes of the Proposed Internal Control Instrument.

Scope of Evaluation

The Proposed Internal Control Instrument does not prescribe the scope of the evaluation of internal control over financial reporting. The CSA believe that it should be left to the judgment of management, acting reasonably, and that this will allow management to tailor its evaluation to the particular circumstances of the issuer, taking into account the issuer's size, nature of business and complexity of operations. The Proposed Internal Control Policy, however, clarifies the CSA’s expectations of the scope of the evaluation if the issuer has certain interests in an underlying entity.

The controls subject to such assessment include:

  • controls over initiating, authorizing, recording, processing and reporting significant accounts and disclosures and related assertions included in the financial statements;
  • controls related to the initiation and processing of non-routine and non-systematic transactions, such as accounts involving judgments and estimates;
  • controls related to the selection and application of appropriate accounting policies that are in accordance with the issuer's GAAP;
  • anti-fraud programs and controls;
  • controls, including general information-technology controls, on which other controls are dependent;
  • controls over the period-end financial reporting process; and
  • controls that have a pervasive impact, such as those within the control environment, including the "tone at the top," assignment of authority and responsibility, consistent policies and procedures and issuer-wide programs that apply to all locations and business units.

The assessment of an issuer's internal control over financial reporting should be based upon procedures sufficient to evaluate its design and to test its operating effectiveness. The nature of an issuer's testing activities will largely depend on the circumstances of the issuer and the significance of a control. The proposed companion policy provides that inquiry alone, however, will not generally provide an adequate basis for management's assessment.

The Proposed Internal Control Instrument does not require interim evaluations of internal control over financial reporting. The CSA recognize that some controls operate continuously while others operate only at certain times, such as the end of a financial year. The management of an issuer should perform evaluations of the design and operation of the issuer's internal control over financial reporting over a period of time that is adequate for it to determine whether, as of the end of the issuer's financial year, the design and operation of the issuer's internal controls over financial reporting are effective.

Suitable Control Framework

The evaluation must be based upon a suitable control framework. The Proposed Internal Control Instrument does not prescribe the control framework that must be used. Instead it requires management to use a "suitable" control framework established by a body or group that has followed an open and transparent process, including giving the public an opportunity to offer comments, when developing the control framework.

The Proposed Internal Control Policy provides additional guidance on what constitutes a "suitable control framework." In particular, it confirms that the following control frameworks satisfy the criteria of a suitable control framework:

  • the Risk Management and Governance/Guidance on Control published by The Canadian Institute of Chartered Accountants' Criteria of Control Board (CoCo);
  • the Internal Control Integrated Framework published by The Committee of Sponsoring Organizations of the Treadway Commission (COSO); and
  • the Turnbull Report published by The Institute of Chartered Accountants in England and Wales.

Evidence

The Proposed Internal Control Instrument requires every issuer to maintain evidence that provides reasonable support for management's assessment of the effectiveness of the issuer's internal control over financial reporting. The evidence must be maintained in a manner that ensures the trustworthiness and readability of the information recorded and for the same period that the accounting records for the financial year to which the evidence relates are maintained in accordance with the Income Tax Act (Canada). The application of this requirement to issuers not subject to the Income Tax Act (Canada) is not clear.

The Proposed Internal Control Instrument does not prescribe the content of the evidence, as the CSA believe that it may vary depending on the issuer's size, the nature of its business and the complexity of its operations. The Proposed Internal Control Policy indicates that the evidence should include information about the design of internal controls over financial reporting and the testing processes used by management, including:

  • the design of controls over relevant assertions related to all significant accounts and disclosures in the financial statements;
  • information about how significant transactions are initiated, authorized, recorded, processed and reported;
  • sufficient information about the flow of transactions to identify the points at which material misstatements due to error or fraud could occur;
  • a listing of controls designed to prevent or detect fraud, including who performs the controls and related segregation of duties;
  • a listing of controls over period-end financial reporting processes;
  • a listing of controls over safeguarding of assets; and
  • results of management's testing and evaluation.

Internal Control Report

The proposed Internal Control Instrument also requires every issuer to file a report from management that describes management's assessment of the effectiveness of the issuer's internal control over financial reporting (an internal control report). An internal control report must be filed separately, but concurrently, with the issuer's annual financial statements and annual MD&A.

An internal control report must include:

  • a statement of management's responsibility for establishing and maintaining adequate internal control over financial reporting for the issuer;
  • a statement identifying the control framework used by management to evaluate the effectiveness of the issuer's internal control over financial reporting;
  • management's assessment of the effectiveness of the issuer's internal control over financial reporting as of the end of the issuer's financial year, including a statement as to whether the internal control over financial reporting is effective;
  • disclosure of any material weaknesses in the issuer's internal control over financial reporting identified by management;
  • a statement that the auditors that audited the issuer's annual financial statements have issued an internal control audit report;
  • disclosure of any limitations in management's assessment of the effectiveness of the issuer's internal control over financial reporting extending into a joint venture or a variable interest entity (VIE) in which the issuer has a material interest; and
  • disclosure of any limitations in management's assessment of the effectiveness of the issuer's internal control over financial reporting extending into a business that was acquired by the issuer during the financial year.

The internal control report must be approved by the issuer's board of directors before it is filed.

Internal Control Audit Report

The Proposed Internal Control Instrument requires every issuer to file a report in which the issuer's auditor expresses an opinion, or states that an opinion cannot be expressed, concerning management's assessment of the effectiveness of the issuer's internal control over financial reporting (an internal control audit report). The internal control audit report must be filed together with the internal control report.

An internal control audit report must:

  • be prepared in accordance with the standard (the CICA Standard) for an audit of internal control over financial reporting performed in conjunction with an audit of financial statements established by the Auditing and Assurance Standards Board of The Canadian Institute of Chartered Accountants (the CICA);
  • be dated the same date as the audit report on the annual financial statements;
  • be signed by the auditor; and
  • identify the internal control report in respect of which the internal control audit report has been prepared.

The proposed CICA Standard is substantially the same as the Public Company Accounting Oversight Boards’ (the PCAOB) auditing standard number No. 2, an Audit of Internal Control Over Financial Reporting Performed in Conjunction with an Audit of Financial Statements (the PCAOB Standard). Auditors of foreign issuers may perform their audit and prepare their audit report in accordance with the PCAOB Standard. A foreign issuer is defined to have the meaning ascribed to it in National Instrument 52-107 — Acceptable Accounting Principles, Auditing Standards and Reporting Currency.

Auditor Independence

Under the rules of professional conduct of the Canadian provincial and territorial institutes of Chartered Accountants, auditors are prohibited from providing certain non-audit services to issuers above a specified size threshold. Among other things, this permits an auditor expressing an opinion on financial statements of an issuer to provide certain non-audit services such as accounting, bookkeeping and internal audit so long as any resulting "self-review threat" is reduced to an acceptable level. The Proposed Internal Control Policy confirms that, if such services are provided to an issuer, the issuer's audit committee and the auditor should evaluate carefully whether the auditor's independence will be impaired for purposes of signing an internal control audit report.

Summary Of Changes To Current Certification Materials

The current certification materials continue to be in force in all jurisdictions, except British Columbia and Québec. If the Revised Certification Materials are adopted, they will replace the current certification materials.

There are two primary differences between the current certification forms and the proposed certification forms. First, the proposed certification form includes an annual representation that an issuer's certifying officers have disclosed, based on their most recent evaluation of internal control over financial reporting, to the issuer's auditors and audit committee:

  • all significant deficiencies and material weaknesses in the design or operation of internal control over financial reporting that are reasonably likely to adversely affect the issuer's ability to record, process, summarize and report financial information; and
  • any fraud, whether or not material, that involves management or other employees who have a significant role in the issuer's internal control over financial reporting.

"Significant deficiency," "material weakness" and "audit committee" are defined in the Revised Certification Instrument. This representation is contained in the form of a certificate required under the SOX 302 Rules and is based upon an evaluation of internal control over financial reporting, which is a requirement of the Proposed Internal Control Instrument.

Second, the proposed certification form contains a representation, if applicable, that the issuer is not required to comply with the requirements of the Proposed Internal Control Instrument.

Cost-Benefit Analysis

The CSA commissioned a cost-benefit analysis of the proposed rules. While acknowledging the difficulties of the analysis, Charles River Associates concluded that, based on mid-range estimates, the measured costs exceeded the measured benefits for all categories of issuers. They were only 20% higher in the case of issuers with assets over $5 billion, versus over 350% higher in the case of issuers with under $50 million in assets.

In November 2004, AMR Research published results based on a study conducted by it in which over 200 business and IT leaders were surveyed on SOX and broad compliance spending priorities. AMR Research estimated that companies will spend US$5.8 billion on meeting SOX requirements in 2005. AMR Research also reported that despite initial thoughts that SOX spending would be a one-time expenditure, 36% of the companies plan to increase spending, 52% will maintain current levels and 12% will decrease SOX spending.

Lessons learned from the US Experience

One is hopeful that Canadian companies can benefit from the experience of their American counterparts and their auditors in implementing SOX 404 Rules. More familiarity with internal controls, together with an increasing involvement of external audit firms in internal control considerations and requirements, have led to a clearer understanding of how companies must demonstrate compliance with the reporting rules. The following are some of the lessons learned when looking at the efforts of American companies to comply with the requirements of SOX 404 Rules

  • Company ownership – there must be a strong, accountable internal owner of the implementation of internal controls with the necessary resources and sponsorship from top management and the audit committee. We have learned that successful implementation requires that companies be focused on both the short term and the long term funding of the effort, have appropriate budget and dedicated resources to prioritize team efforts and oversee the program with suitable accountability.
  • Coordination – clearly, management of an issuer must take responsibility for developing its own approach to performing an evaluation of internal control over financial reporting. Several companies used a combination of internal resources and outside service providers. For obvious reasons, this approach should be a coordinated effort between the company, the outside service providers and the independent auditors. Coordination between the various constituents of the implementation process is critical. In that respect, a steering committee including management, internal audit functions, members of the audit committee, IT executives and the external auditors is one way of fostering such coordination.
  • Creating Value – The implementation of internal control over financial reporting can be seen as a mere compliance exercise. However, companies can look for ways to gain value from implementing such processes. Just like with running, one must learn how to walk before one can run. In the context of implementing internal controls over financial reporting, it is important to insure the fundamentals are in place for year one compliance before a company can focus on the long-term benefits. It is abundantly clear that the level and magnitude of efforts required by American companies for year one implementation of the reporting controls over financial control was much greater than originally expected. Proper focus on the first year of compliance is therefore required.
  • Ongoing Communication – American company experience shows that, initially, internal communications regarding the implementation of SOX 404 Rules primarily happen on a quarterly basis and as companies get closer to their compliance deadline, discussions became more frequent, typically monthly. In the early stages of implementation, these discussions were more focused on macro issues. As companies moved further into the testing phase, these discussions moved to more open dialogue on implementation issues and the timetable for performing remediation when control deficiencies were identified. Past experience shows that there is a need for continuous and consistent communication. Once again a steering committee can foster such environments.
  • Using the Right Resources – Specialized resources are particularly important. Many companies found that the skills necessary to document and test controls resided primarily within their internal audit group. A concrete benefit of extensive involvement by members of the internal audit group is the potential reduction in work required to be conducted by other internal resources as well as by outside service providers. However, a majority of companies have also had to add additional resources to help them stay on schedule with the documentation and testing processes. Accordingly, the use of a combination of internal resources and outside service providers will most likely ultimately be the most common approach used.
  • Next Year and Beyond – Ernst & Young recently reported that companies implementing SOX 404 Rules are enjoying benefits as a result of implementing the rules. According to Ernst & Young, more than 60% of the companies surveyed reported enhanced financial processes, 40% have seen their control expanding to other parts of the business and 20% suggested that increased consistency and standardization of internal processes represented another inherent gain. These benefits may increase in the years following implementation.

Issuers will need to focus on several issues to insure continued compliance and to maximize other potential benefits from the implementation of these processes. For example, will reporting over internal controls be seen as a compliance exercise or as a step towards enterprise-wide risk management? Just as initial compliance will be a significant management responsibility, so will ongoing compliance. How will the leadership team be structured and how will the process be integrated with other management functions? While there will be a significant decrease in the resources and effort required in later years compared to the first year of implementation, how will issuers document new processes, applications and acquisitions, update existing documentation and perform testing or assessment in the future?

Experience shows that there are no right or wrong answers, but that every issuer must assess its situation individually. Each issuer’s needs will be different and the path to compliance will, as a result, be different. Issuers should decide where they are headed and develop a multi-year plan to get there. Obviously, the extent of the work that will be required should not be underestimated; in fact, considerable thought must be given to finding the best way to leverage existing resources, and to learn from the experience of American companies and their advisors.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.