Register today for OSC Dialogue 2024: Inviting, thriving and secure capital markets
Proposed Rule: MI - 52-111 - Reporting on Internal Control over Financial Reporting
Proposed Rule: MI - 52-111 - Reporting on Internal Control over Financial Reporting
MULTILATERAL INSTRUMENT 52-111 -
REPORTING ON INTERNAL CONTROL OVER FINANCIAL REPORTING
PART 1 -- DEFINITIONS, INTERPRETATION AND APPLICATION
1.1 Definitions - In this Instrument,
"52-111 transition 1 issuer" means an issuer whose listed equity securities have an aggregate market value of $250,000,000 or more but less than $500,000,000 on the market capitalization date;
"52-111 transition 2 issuer" means an issuer whose listed equity securities have an aggregate market value of $75,000,000 or more but less than $250,000,000 on the market capitalization date;
"52-111 transition 3 issuer" means an issuer whose listed equity securities have an aggregate market value of less than $75,000,000 on the market capitalization date;
"52-111 transition issuers" means a 52-111 transition 1 issuer, a 52-111 transition 2 issuer or a 52-111 transition 3 issuer;
"asset-backed security" has the meaning ascribed to it in NI 51-102;{1}
"annual financial statements" means the annual financial statements required to be filed under NI 51-102;
"CICA Standard" means the standard, established by the Auditing and Assurance Standards Board of The Canadian Institute of Chartered Accountants, for an audit of internal control over financial reporting performed in conjunction with an audit of financial statements, as amended from time to time;
"foreign issuer" has the meaning ascribed to it in NI 52-107;{2}
"interim financial statements" means the interim financial statements required to be filed under NI 51-102;
"internal control audit report" means a report in which a participating audit firm expresses an opinion, or states that an opinion cannot be expressed, concerning management's assessment of the effectiveness of an issuer's internal control over financial reporting;{3}
"internal control over financial reporting" means a process designed by, or under the supervision of, the issuer's chief executive officer and chief financial officer, or persons performing similar functions, and effected by the issuer's board of directors, management and other personnel, to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with the issuer's GAAP and includes those policies and procedures that:
(a) pertain to the maintenance of records that in reasonable detail accurately and fairly reflect the transactions and dispositions of the assets of the issuer,
(b) provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in accordance with the issuer's GAAP, and that receipts and expenditures of the issuer are being made only in accordance with authorizations of management and directors of the issuer, and
(c) provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use or disposition of the issuer's assets that could have a material effect on the annual financial statements or interim financial statements;{4}
"internal control report" means a report of management that describes management's assessment of the effectiveness of an issuer's internal control over financial reporting;
"investment fund" has the meaning ascribed to it in NI 51-102;{5}
"issuer's GAAP" has the meaning ascribed to it in NI 52-107;{6}
"joint venture" has the meaning ascribed to it in the Handbook;
"listed equity securities" means equity securities listed or quoted on an exchange or marketplace;
"market capitalization date" means:
(a) June 30, 2005;
(b) in the case of an issuer that becomes a reporting issuer after June 30, 2005, the date on which the issuer becomes a reporting issuer; or
(c) in the case of a reporting issuer that ceases to be a venture issuer after June 30, 2005, the date on which the reporting issuer ceased to be a venture issuer;
"marketplace" has the meaning ascribed to it in National Instrument 21-101 Marketplace Operation;{7}
"material weakness" has the meaning ascribed to it in the CICA Standard;{8}
"MD&A" has the meaning ascribed to it in NI 51-102;{9}
"NI 51-102" means National Instrument 51-102 Continuous Disclosure Obligations;
"NI 52-107" means National Instrument 52-107 Acceptable Accounting Principles, Auditing Standards and Reporting Currency;
"notice of 52-111 exemption" means a notice that includes:
(a) the financial year for which the notice is being filed;
(b) a statement that the issuer is a 52-111 transition issuer;
(c) the calculation of the aggregate market value of the issuer's listed equity securities on the market capitalization date; and
(d) a statement that the issuer is not required to file an internal control report and internal control audit report for the identified financial year;
"participating audit firm" has the meaning ascribed to it in National Instrument 52-108 Auditor Oversight;{10}
"PCAOB Standard" means Auditing Standard No. 2, An Audit of Internal Control Over Financial Reporting Performed in Conjunction With an Audit of Financial Statements adopted by the Public Company Accounting Oversight Board, as amended from time to time;
"Sarbanes-Oxley Act" means the Sarbanes-Oxley Act of 2002, Pub.L. 107-204, 116 Stat. 745 (2002), as amended from time to time;
"significant deficiency" has the meaning ascribed to it in the CICA Standard;{11}
"U.S. marketplace" has the meaning ascribed to it in NI 51-102;{12}
"variable interest entity" has the meaning ascribed to it in the Handbook; and
"venture issuer" means an issuer that, as at the applicable time, did not have any of its securities listed or quoted on any of the Toronto Stock Exchange, a U.S. marketplace, or a marketplace outside of Canada or the United States of America; where the "applicable time" in respect of:
(a) the Instrument other than paragraph (c) of the definition of market capitalization date in section 1.1, is the end of the applicable financial year; and
(b) paragraph (c) of the definition of market capitalization date in section 1.1, is the date on which securities of an issuer are listed or quoted on any of the Toronto Stock Exchange, a U.S. marketplace, or a marketplace outside of Canada or the United States of America.
1.2 Application -- This Instrument applies to all reporting issuers other than investment funds and venture issuers.
1.3 Calculation of the aggregate market value of an issuer's listed equity securities -- For the purposes of this Instrument, the aggregate market value of the listed equity securities of an issuer is the aggregate of the market value of each class of its listed equity securities outstanding on the market capitalization date, calculated by multiplying
1. the total number of listed equity securities of the class outstanding on the market capitalization date, by
2. the weighted average of the market price for the listed equity securities of the class outstanding on the exchange or marketplace on which that class of listed equity securities is principally traded for each of the 20 trading days immediately following the market capitalization date.
PART 2 -- MANAGEMENT'S ASSESSMENT OF INTERNAL CONTROL OVER FINANCIAL REPORTING
2.1 Annual evaluation of effectiveness of internal control over financial reporting -- The management of an issuer must evaluate, with the participation of the issuer's chief executive officer and chief financial officer, or in the case of an issuer that does not have a chief executive officer or a chief financial officer, persons performing similar functions to a chief executive officer or chief financial officer, the effectiveness of the issuer's internal control over financial reporting as of the end of a financial year.{13}
2.2 Control framework for evaluation --
(1) Management must base its evaluation of the effectiveness of an issuer's internal control over financial reporting on a suitable control framework.
(2) A suitable control framework must be established by a body or group that has followed an open and transparent process, including providing the public with an opportunity to provide comments, when developing the control framework.{14}
2.3 Evidence --
(1) An issuer must maintain evidence to provide reasonable support for management's assessment of the effectiveness of the issuer's internal control over financial reporting.{15}
(2) An issuer must maintain the evidence required under subsection (1) in a manner that will ensure the trustworthiness and readability of the information recorded.{16}
(3) The evidence required under subsection (1) must be maintained for the same period that the accounting records for the financial year to which the evidence relates are maintained in accordance with the Income Tax Act (Canada).
2.4 Filing of internal control report -- An issuer must file an internal control report separately but concurrently with the filing of its annual financial statements and annual MD&A.{17}
2.5 Form and content of internal control report --
(1) An internal control report must include:
(a) a statement of management's responsibility for establishing and maintaining adequate internal control over financial reporting for an issuer;
(b) a statement identifying the control framework used by management to evaluate the effectiveness of the issuer's internal control over financial reporting;
(c) management's assessment of the effectiveness of the issuer's internal control over financial reporting as of the end of the issuer's financial year, including a statement as to whether the internal control over financial reporting is effective;
(d) disclosure of any material weaknesses in the issuer's internal control over financial reporting identified by management;
(e) a statement that the participating audit firm that audited the issuer's annual financial statements has issued an internal control audit report;
(f) disclosure of any limitations in management's assessment of the effectiveness of the issuer's internal control over financial reporting extending into a joint venture or a variable interest entity in which the issuer has a material interest; and
(g) disclosure of any limitations in management's assessment of the effectiveness of the issuer's internal control over financial reporting extending into a business that was acquired by the issuer during the financial year.{18}
(2) Despite paragraph (1)(g), management must not limit its assessment of the effectiveness of an issuer's internal control over financial reporting extending into a business as at the end of a financial year where the business was acquired in the immediately preceding financial year.
(3) An internal control report must be dated a date that is on or before the date of the internal control audit report prepared in respect of the internal control report.
2.6 Approval of internal control report -- An issuer's board of directors must approve an internal control report required to be filed under section 2.4 before the internal control report is filed.
PART 3 -- INTERNAL CONTROL AUDIT REPORT
3.1 Filing of internal control audit report --
(1) An issuer must file an internal control audit report for the same financial year for which an internal control report has been filed.
(2) The internal control audit report must be filed by the issuer together with the internal control report.
3.2 Form and content of internal control audit report --
(1) An internal control audit report must:
(a) be prepared in accordance with the CICA Standard;
(b) be dated the same date as the auditor's report on the annual financial statements;
(c) be signed by the participating audit firm; and
(d) identify the internal control report in respect of which the internal control audit report has been prepared.{19}
(2) Despite paragraph (1)1, an internal control audit report in respect of an internal control report of a foreign issuer may be prepared in accordance with the PCAOB Standard.
(3) An internal control audit report may be combined with the auditor's report on the annual financial statements.{20}
3.3 No separate engagement -- An internal control audit report and auditor's report on annual financial statements for a financial year must be prepared by the same participating audit firm.{21}
PART 4 -- REFILED INTERNAL CONTROL REPORTS AND INTERNAL CONTROL AUDIT REPORTS
4.1 Refiled annual financial statements --
(1) If an issuer refiles its annual financial statements for a financial year, it must refile its internal control report and internal control audit report for that financial year.
(2) The refiled internal control report and internal control audit report must be filed by the issuer separately but concurrently with the filing of its refiled annual financial statements.
PART 5 -- DELIVERY OF INTERNAL CONTROL REPORT AND INTERNAL CONTROL AUDIT REPORT
5.1 Delivery -- An issuer that must send its annual financial statements and annual MD&A for a financial year to a person or company under NI 51-102 must also send to the person or company, concurrently and without charge, a copy of its internal control report and internal control audit report for that financial year.
PART 6 -- LANGUAGE OF INTERNAL CONTROL REPORTS AND INTERNAL CONTROL AUDIT REPORTS
6.1 French or English -
(1) An issuer must file the internal control reports and the internal control audit reports required to be filed under this Instrument in French or in English.
(2) Despite subsection (1), if an issuer files an internal control report or an internal control audit report only in French or only in English but delivers to securityholders a version of the document in the other language, the issuer must file that other version not later than when it is first delivered to securityholders.
(3) In Québec, an issuer must comply with linguistic obligations and rights prescribed by Québec law.
PART 7 - EXEMPTIONS
7.1 Exemption for 52-111 transition 1 issuers -- A 52-111 transition 1 issuer is exempt from the requirements of this Instrument for a financial year ending on or before June 29, 2007 provided that the issuer files a notice of 52-111 exemption with the securities regulatory authorities separately but concurrently with its annual financial statements and annual MD&A for that financial year.
7.2 Exemption for 52-111 transition 2 issuers -- A 52-111 transition 2 issuer is exempt from the requirements of this Instrument for a financial year ending on or before June 29, 2008 provided that the issuer files a notice of 52-111 exemption with the securities regulatory authorities separately but concurrently with its annual financial statements and annual MD&A for that financial year.
7.3 Exemption for 52-111 transition 3 issuers -- A 52-111 transition 3 issuer is exempt from the requirements of this Instrument for a financial year ending on or before June 29, 2009 provided that the issuer files a notice of 52-111 exemption with the securities regulatory authorities separately but concurrently with its annual financial statements and annual MD&A for that financial year.
7.4 Exemption for issuers that comply with U.S. laws -- An issuer is exempt from the requirements in this Instrument for a financial year if:
(a) the issuer is in compliance with U.S. federal securities laws implementing the internal control report requirements in sections 404(a) and (b) of the Sarbanes-Oxley Act; and
(b) management's annual report on internal control over financial reporting and the attestation report on management's assessment of internal control over financial reporting included in the issuer's annual report for the financial year is filed promptly after it is filed with the SEC.{22}
7.5 Exemption for foreign issuers -- An issuer is exempt from the requirements in this Instrument if it qualifies for the relief contemplated by, and is in compliance with the requirements and conditions set out in, sections 5.4 and 5.5 of National Instrument 71-102 Continuous Disclosure and Other Exemptions Relating to Foreign Issuers.{23}
7.6 Exemption for certain exchangeable security issuers -- An issuer is exempt from the requirements in this Instrument if it qualifies for the relief contemplated by, and is in compliance with the requirements and conditions set out in, section 13.3 of NI 51-102.{24}
7.7 Exemption for certain credit support issuers -- An issuer is exempt from the requirements in this Instrument if it qualifies for the relief contemplated by, and is in compliance with the requirements and conditions set out in, section 13.4 of NI 51-102.{25}
7.8 Exemption for asset-backed securities issuers -- An issuer is exempt from the requirements in this Instrument if it is an issuer of asset-backed securities.{26}
7.9 General exemption --
(1) The regulator or securities regulatory authority may grant an exemption from this Instrument, in whole or in part, subject to such conditions or restrictions as may be imposed in the exemption.
(2) Despite subsection (1), in Ontario only the regulator may grant such an exemption.{27}
PART 8 - EFFECTIVE DATE AND TRANSITION
8.1 Effective date - This Instrument comes into force on [•].{28}
8.2 Transition -- The provisions of the Instrument regarding internal control reports and internal control audit reports apply for financial years ending on or after June 30, 2006.{29}
{1} "Asset-backed security" is defined in NI 51-102 as a security that is primarily serviced by the cash flows of a discrete pool of mortgages, receivables or other financial assets, fixed or revolving, that by their terms convert into cash within a finite period and any rights or other assets designed to assure the servicing or the timely distribution of proceeds to securityholders.
{2} "Foreign issuer" is defined in NI 52-107 as an issuer, other than an investment fund, that is incorporated or organized under the laws of a foreign jurisdiction, unless
(a) outstanding voting securities of the issuer carrying more than 50 per cent of the votes for the election of directors are owned, directly or indirectly, by residents of Canada; and
(b) any of the following apply:
(i) the majority of the executive officers or directors of the issuer are residents of Canada;
(ii) more than 50 per cent of the consolidated assets of the issuer are located in Canada; or
(iii) the business of the issuer is administered principally in Canada.
{3} This definition is derived from 17 CFR 210.1-02(a)(2) (Definitions of terms used in Regulation S-X); however, the term has been changed to "internal control audit report" rather than "attestation report on management's assessment of internal control over financial reporting" to conform to the wording in the proposed CICA Standard.
{4} This is the same as the definition of "internal control over financial reporting" set out in Multilateral Instrument 52-109 Certification of Disclosure in Issuers' Annual and Interim Filings (MI 52-109).
{5} "Investment fund" is defined in NI 51-102 as a mutual fund or non-redeemable investment fund.
{6} "Issuer's GAAP" is defined in NI 52-107 as the accounting principles used to prepare an issuer's financial statements, as permitted by NI 52-107.
{7} "Marketplace" is defined in National Instrument 21-101 Marketplace Operation to mean:
(a) an exchange,
(b) a quotation and trade reporting system,
(c) a person or company not included in paragraph (a) or (b) that
(i) constitutes, maintains or provides a market or facility for bringing together buyers and sellers of securities;
(ii) brings together the orders for securities of multiple buyers and sellers, and
(iii) uses established, non-discretionary methods under which the orders interact with each other, and the buyers and sellers entering the orders agree to the terms of the trade, or
(d) a dealer that executes a trade of an exchange-traded security outside of a marketplace, but does not include an inter-dealer bond broker.
{8} The definition in the proposed CICA Standard is:
""Material weakness" means a significant deficiency, or combination of significant deficiencies, that results in more than a remote likelihood that a material misstatement of the annual or interim financial statements will not be prevented or detected."
{9} "MD&A" is defined in NI 51-102 as a completed Form 51-102F1 Management's Discussion & Analysis or, in the case of an SEC issuer, a completed Form 51-102F1 or management's discussion and analysis prepared in accordance with Item 303 of Regulation S-K or item 303 of Regulation S-B under the 1934 Act.
{10} "Participating audit firm" is defined in National Instrument 52-108 Auditor Oversight as a public accounting firm that has entered into a participation agreement and that has not had its participation status terminated, or, if its participation status was terminated, has been reinstated in accordance with CPAB by-laws.
{11} The definition in the proposed CICA Standard is:
""Significant deficiency" means a control deficiency, or combination of control deficiencies, that adversely affects an issuer's ability to initiate, authorize, record, process or report external financial data reliably in accordance with generally accepted accounting principles such that there is more than a remote likelihood that a misstatement of the entity's annual or interim financial statements that is more than inconsequential will not be prevented or detected."
{12} "U.S. marketplace" is defined in NI 51-102 as an exchange registered as a 'national securities exchange' under section 6 of the 1934 Act, or the Nasdaq Stock Market.
{13} This section is derived from 17 CFR 240.13a-15(c) (Controls and procedures) and 17 CFR 240.15d-15(c) (Controls and procedures).
{14} This section is derived from 17 CFR 240.13a-15(c) (Controls and procedures) and 17 CFR 240.15d-15(c) (Controls and procedures).
{15} This section is derived from 17 CFR 229.308 (Instruction to Item 308), 17 CFR 249.220f (Instruction to Item 15) and 17 CFR 249.240f (Instruction to paragraph (c) of General Instruction B.6).
{16} This requirement is similar to requirements set forth in Canada Revenue Agency's Information Circular 78-10R3 Books and Records Retention/Destruction.
{17} This section is derived from 17 CFR 229.308(a) (Management's annual report on internal control over financial reporting), 17 CFR 249.220f (Item 15(b) -- Management's annual report on internal control over financial reporting) and 17 CFR 249.240f (Paragraph (c) of General Instruction B.6 -- Management's annual report on internal control over financial reporting).
{18} The requirements set out in paragraphs (a) through (e) in this section are derived from 17 CFR 229.308(a) (Management's annual report on internal control over financial reporting), 17 CFR 249.220f (Item 15(b) -- Management's annual report on internal control over financial reporting) and 17 CFR 249.240f (Paragraph (c) of General Instruction B.6 -- Management's annual report on internal control over financial reporting). The requirements set out in paragraphs (f) and (g) of this section are derived from Office of the Chief Accountant, Division of Corporate Finance: Management's Report on Internal Control Over Financial Reporting and Certification of Disclosure in Exchange Act Periodic Reports -- Frequently Asked Questions (revised October 6, 2004).
{19} This section is derived from 17 CFR 210.2-02(f) (Accountants' reports and attestation reports on management's assessment of internal control over financial reporting).
{20} This section is derived from 17 CFR 210.2-02(f) (Accountants' reports and attestation reports on management's assessment of internal control over financial reporting).
{21} This section is derived from section 404(b) of the Sarbanes-Oxley Act.
{22} This is similar to the exemption contained in section 7.1 of MI 52-109.
{23} This is similar to the exemption contained in section 7.2 of MI 52-109.
{24} This is similar to the exemption contained in section 7.3 of MI 52-109.
{25} This is similar to the exemption contained in section 7.4 of MI 52-109.
{26} Issuers of asset-backed securities are not required to comply with the SEC rules implementing section 404 of the Sarbanes-Oxley Act.
{27} This is similar to the exemption contained in section 7.5 of MI 52-109.
{28} This Instrument is intended to come into force on the same date as the amended and restated MI 52-109.
{29} Under the SEC rules implementing section 404 of the Sarbanes-Oxley Act, a foreign private issuer must comply with the annual internal control report for its first financial year ending on or after July 15, 2005.
COMPANION POLICY 52-111CP -- TO MULTILATERAL INSTRUMENT 52-111 REPORTING ON INTERNAL CONTROL OVER FINANCIAL REPORTING
PART 1 -- GENERAL
1.1 Introduction and purpose -
(1) Multilateral Instrument 52-111 Reporting on Internal Control over Financial Reporting (the Instrument) sets out additional disclosure requirements for all reporting issuers, other than investment funds and venture issuers.
(2) The purpose of this Companion Policy (the Policy) is to help you understand how the provincial and territorial securities regulatory authorities interpret or apply certain provisions of the Instrument.
1.2 Application to non-corporate entities - The Instrument applies to both corporate and non-corporate entities. Where the Instrument or the Policy refers to a particular corporate characteristic, such as a board of directors, the reference should be read to include any equivalent characteristic of a non-corporate entity.
PART 2 -- MANAGEMENT'S ASSESSMENT OF EFFECTIVENESS OF INTERNAL CONTROL OVER FINANCIAL REPORTING
2.1 No formal requirement for interim evaluation - The Instrument does not require interim evaluations of internal control over financial reporting. We recognize that some controls operate continuously while others operate only at certain times, such as the end of a financial year. The management of an issuer should perform evaluations of the design and operation of the issuer's internal control over financial reporting over a period of time that is adequate for it to determine whether, as of the end of the issuer's financial year, the design and operation of the issuer's internal control over financial reporting are effective.{1}
2.2 Management -
(1) Section 2.1 of the Instrument requires management of an issuer to evaluate the effectiveness of internal control over financial reporting. The Instrument does not define "management". We would expect that management, for the purposes of the Instrument, includes the chief executive officer and chief financial officer of an issuer, or in the case of an issuer that does not have a chief executive officer or chief financial officer, all persons performing similar functions to a chief executive officer or chief financial officer; however, we believe that it should be left to the discretion of the chief executive officer and chief financial officer (or persons performing similar functions to a chief executive officer or chief financial officer), each acting reasonably, to determine the other members of management for the purposes of the Instrument.
(2) Where an issuer does not have a chief executive officer or chief financial officer, each person who performs similar functions to a chief executive officer or chief financial officer must participate in the evaluation of the effectiveness of the issuer's internal control over financial reporting. It is left to the discretion of the issuer, acting reasonably, to determine who those persons are.
(3) In the case of an income trust reporting issuer (as described in proposed National Policy 41-201 Income Trusts and Other Indirect Offerings) where executive management resides at the underlying business entity level or in an external management company, we would generally consider the chief executive officer and chief financial officer of the underlying business entity or the external management company to be persons performing functions in respect of the income trust similar to a chief executive officer and chief financial officer.
(4) In the case of a limited partnership reporting issuer with no chief executive officer and chief financial officer, we would generally consider the chief executive officer and chief financial officer of its general partner to be persons performing functions in respect of the limited partnership reporting issuer similar to a chief executive officer and chief financial officer.
2.3 Scope of evaluation -
(1) The assessment of an issuer's internal control over financial reporting should be based upon procedures sufficient to evaluate its design and to test its operating effectiveness.{2}
(2) The controls subject to such assessment include:
(a) controls over initiating, authorizing, recording, processing and reporting significant accounts and disclosures and related assertions included in the financial statements;
(b) controls related to the initiation and processing of non-routine and non-systematic transactions, such as accounts involving judgments and estimates;
(c) controls related to the selection and application of appropriate accounting policies that are in accordance with the issuer's GAAP;
(d) anti-fraud programs and controls;
(e) controls, including information technology general controls, on which other controls are dependent;
(f) controls over the period-end financial reporting process, including controls over procedures used to enter transaction totals into the general ledger, to initiate, authorize, record and process journal entries in the general ledger and to record recurring and nonrecurring adjustments to the financial statements (for example, consolidating adjustments, report combinations and reclassifications); and
(g) controls that have a pervasive impact such as those within the control environment, including the "tone at the top", assignment of authority and responsibility, consistent policies and procedures and issuer wide programs that apply to all locations and business units.{3}
(3) The nature of an issuer's testing activities will largely depend on the circumstances of the issuer and the significance of a control. Inquiry alone, however, will not generally provide an adequate basis for management's assessment. This statement should not be interpreted to mean that management personally must conduct the necessary activities to evaluate the design and test the operating effectiveness of the issuer's internal control over financial reporting. Activities, including those necessary to provide management with the information on which it bases its assessment, may be conducted by non-management personnel acting under the supervision of management. Management, however, has overall responsibility for the preparation of the internal control report.{4}
2.4 Control framework for evaluation -
(1) The Instrument does not mandate the use of a particular control framework in recognition of the fact that other evaluation standards exist and may be developed in the future that may satisfy the intent of the Instrument.
(2) A suitable control framework should:
(a) be free from bias;
(b) permit reasonably consistent qualitative and quantitative measurements of an issuer's internal control over financial reporting;
(c) be sufficiently complete so that those relevant factors that would alter a conclusion about the effectiveness of an issuer's internal control over financial reporting are not omitted; and
(d) be relevant to an evaluation of internal control over financial reporting.
(3) Without limiting the generality of subsections (1) and (2), the following control frameworks satisfy our criteria for the purposes of section 2.2 of the Instrument:
(a) the Risk Management and Governance (formerly: Guidance of the Criteria of Control Board) published by The Canadian Institute of Chartered Accountants;
(b) the Internal Control -- Integrated Framework published by The Committee of Sponsoring Organizations of the Treadway Commission; and
(c) the Turnbull Report published by The Institute of Chartered Accountants in England and Wales.
(4) The control frameworks referred to in subsection (3) include in their definition of "internal control" three general categories: effectiveness and efficiency of operations, reliability of financial reporting and compliance with applicable laws and regulations. The term "internal control over financial reporting", as defined in the Instrument, is a subset of internal controls addressed in these control frameworks. The definition in the Instrument does not encompass the elements of these control frameworks that relate to effectiveness and efficiency of an issuer's operations and an issuer's compliance with applicable laws and regulations, with the exception of compliance with the applicable laws and regulations directly related to the preparation of financial statements, such as the securities regulatory authorities' financial reporting requirements.{5}
2.5 Evidence -
(1) The Instrument requires that an assessment of the effectiveness of internal control over financial reporting be supported by evidence. We expect this evidence to include information about the design of internal control over financial reporting and the testing processes used by management. We believe that this evidence should provide reasonable support:
(a) for the evaluation of whether the control is designed to prevent or detect material misstatements or omissions in the issuer's financial disclosure; and
(b) for the conclusion that the tests were appropriately planned and performed and that the results of the tests were appropriately considered.{6}
(2) To provide reasonable support for management's assessment of the effectiveness of internal control over financial reporting, the evidence should include:
(a) the design of controls over relevant assertions related to all significant accounts and disclosures in the financial statements;
(b) information about how significant transactions are initiated, authorized, recorded, processed and reported;
(c) sufficient information about the flow of transactions to identify the points at which material misstatements due to error or fraud could occur;
(d) a listing of controls designed to prevent or detect fraud, including who performs the controls and related segregation of duties;
(e) a listing of controls over period-end financial reporting processes;
(f) a listing of controls over safeguarding of assets; and
(g) results of management's testing and evaluation.{7}
(3) The evidence may be in written or non-written form.
(4) The evidence may be in bound or loose-leaf form or in photographic film form or may be entered or recorded by any system of mechanical or electronic data processing or by any other information storage device that is capable of reproducing any required information in intelligible form within a reasonable time.{8}
2.6 Subsidiaries, variable interest entities, joint ventures, equity and portfolio investments -
(1) Underlying entities - An issuer may have a variety of long term investments. In particular, an issuer may have any of the following interests (referred to in this section as underlying entities):
(a) an interest in an entity which is consolidated because the issuer controls that entity (a subsidiary);
(b) an interest in an entity which is consolidated because it is a variable interest entity (a VIE);
(c) an interest in an entity which is proportionately consolidated because the issuer jointly controls that entity (a joint venture);
(d) an interest in an entity which is accounted for using the equity method because the issuer has significant influence over that entity (an equity investment); or
(e) an interest in an entity which is carried at cost because the issuer has neither control nor significant influence over that entity (a portfolio investment).
In this section, the term entity is meant to capture a broad range of structures, including, but not limited to, corporations.
(2) Evaluation of effectiveness of internal control over financial reporting - If an issuer has an interest in an underlying entity, the nature of that underlying entity will impact the procedures required to be undertaken by management in its evaluation of the effectiveness of the issuer's internal control over financial reporting.
(3) Expectations regarding access to underlying entity - In the case of an issuer with an interest in a subsidiary, we expect management to have access to the subsidiary to evaluate the issuer's internal control over financial reporting extending into the subsidiary.
In the case of an issuer with an interest in a joint venture or a VIE, we acknowledge that management may not always have access to the underlying entity to evaluate the issuer's internal control over financial reporting extending into the underlying entity. We expect management to take all reasonable steps to evaluate the issuer's internal control over financial reporting. It is left to the discretion of management, acting reasonably, to determine what constitutes "reasonable steps".
In the case of an issuer with an interest in a portfolio investment or an equity investment, management will often not have access to the underlying entity to evaluate the issuer's internal control over financial reporting extending into the underlying entity.
(4) No access - When management does not have access to the underlying entity to evaluate the issuer's internal control over financial reporting extending into the underlying entity:
(a) in the case of an issuer with a material interest in a joint venture or a VIE, management is required to disclose this scope limitation in the internal control report. This disclosure should include the magnitude of the amounts proportionately consolidated or consolidated into the issuer's annual financial statements.
(b) in the case of an issuer with an equity investment or a portfolio investment, management should evaluate the effectiveness of the internal control over financial reporting that was required to be designed under Multilateral Instrument 52-109 Certification of Disclosure in Issuers' Annual and Interim Filings (MI 52-109). These requirements are discussed in subparagraph 5.6(5)(c)(ii) and paragraph 5.6(5)(d) of the companion policy to MI 52-109.
(5) Factors affecting access - Whether management has the necessary access to a joint venture or a VIE to evaluate an issuer's internal control over financial reporting extending into the joint venture or VIE is a question of fact. While the factors to consider in making this assessment are the same as those listed in paragraph 5.6(5)(f) (in the case of a joint venture) or paragraph 5.6(5)(g) (in the case of a VIE) of the companion policy to MI 52-109, the outcome of the analysis may be different. Management may have the ability to evaluate the effectiveness of internal control over financial reporting extending into the joint venture or VIE even though the chief executive officer and chief financial officer (or persons performing similar functions to a chief executive officer or chief financial officer) do not have the ability to design internal control over financial reporting extending into the joint venture or VIE.
For all joint ventures and VIEs created on or after [insert the date the Instrument comes into force], we expect an issuer to negotiate for the necessary access to evaluate the issuer's internal control over financial reporting extending into the joint venture or VIE.
2.7 Business acquisitions -
(1) General expectation - Except as discussed in section 2.6, we expect management to have access to each consolidated or proportionately consolidated entity to evaluate an issuer's internal control over financial reporting extending into the entity. We acknowledge, however, that it may not be feasible to assess an issuer's internal control over financial reporting extending into a business as at the end of a financial year during which the business was acquired by the issuer.
(2) Factors affecting feasibility of assessing internal control over financial reporting extending into an acquired business - Whether it is feasible for management to assess an issuer's internal control over financial reporting extending into a business as at the end of a financial year during which the business was acquired by the issuer is a question of fact. It may depend on, among other things:
(i) whether the business acquired has been subject to the Instrument, the U.S. federal securities laws implementing the internal control report requirements in sections 404(a) and (b) of the Sarbanes-Oxley Act or substantially similar requirements;
(ii) the size and complexity of the business acquired;
(iii) the terms of the acquisition agreement;
(iv) the length of time between the date of the acquisition agreement, the closing date of the acquisition and the date of management's assessment of internal control over financial reporting; and
(v) whether the business was acquired under a hostile take-over bid.
(3) Disclosure of scope limitation - If it is not feasible for management to assess an issuer's internal control over financial reporting extending into a business as at the end of a financial year during which the business was acquired by the issuer, management is required to disclose this scope limitation in the internal control report. This disclosure should include the magnitude of the amounts relating to the acquired business consolidated into the issuer's annual financial statements.
2.8 Interaction between the Instrument and MI 52-109 - Nothing in the Instrument relieves a chief executive officer and chief financial officer (or persons performing similar functions to a chief executive officer or chief financial officer) of their obligations under MI 52-109.
PART 3 -- INTERNAL CONTROL AUDIT REPORT
3.1 No separate engagement -
(1) Section 3.3 of the Instrument provides that the participating audit firm that prepares the auditor's report on the financial statements must be the same as the participating audit firm who prepares the internal control audit report. Because the participating audit firm is required to audit management's assessment of internal control over financial reporting, management and the participating audit firm will need to coordinate their processes of documenting and testing the internal control over financial reporting. However, we remind issuers and participating audit firms that the independence provisions of the rules of professional conduct adopted by the provincial and territorial institutes of Chartered Accountants prohibit a participating audit firm in Canada from providing certain non-audit services to an audit client. Under these rules of professional conduct, participating audit firms may assist management in documenting internal control over financial reporting without compromising their independence. When the participating audit firm is engaged to assist management in documenting internal control over financial reporting, management must be actively involved in the process. We remind issuers and participating audit firms that under the rules of professional conduct management cannot delegate its responsibility to assess its internal control over financial reporting to the participating audit firm. The Instrument does not amend the rules of professional conduct.{9}
(2) The evaluation of independence for the purposes of signing the internal control audit report is distinct from the evaluation of independence for the purposes of signing the auditor's report on the financial statements. The CICA Standard and the PCAOB Standard require a participating audit firm to be independent in order to sign the internal control audit report.
(3) Under the CICA Standard and the PCAOB Standard, to qualify as independent, the participating audit firm should not:
(a) act as management or as an employee of an issuer;
(b) audit its own work;
(c) serve in a position of being an advocate for an issuer; or
(d) have a mutual or conflicting interest with an issuer.
(4) Under the rules of professional conduct of the provincial and territorial institutes of Chartered Accountants, participating audit firms are prohibited from providing certain non-audit services to issuers above a specified size threshold. In certain circumstances, however, the rules of professional conduct allow these services to be provided to smaller issuers. When such services are provided to an issuer, the issuer's audit committee and the participating audit firm should evaluate whether the participating audit firm's independence has been impaired for the purposes of signing an internal control audit report. In doing so, the audit committee and the participating audit firm should evaluate carefully the nature of the services provided to determine whether the participating audit firm:
(a) has acted as a control or has designed a control for the issuer; and
(b) will be auditing its own work in signing the internal control audit report.
(5) Non-audit services which should be considered carefully in an evaluation of independence for the purposes of signing an internal control audit report include:
(a) preparation of the annual financial statements for the financial year in respect of which the internal control audit report is provided; and
(b) design or implementation of a hardware or software system that aggregates source data underlying the annual financial statements for the financial year in respect of which the internal control audit report is provided.
3.2 Combined audit reports - Under the CICA Standard and the PCAOB Standard, a participating audit firm may prepare a "combined audit report" in relation to an issuer, which combines the auditor's report on the financial statements with the internal control audit report. In determining whether a "combined audit report" should be filed, the participating audit firm and the issuer should consider whether the auditor's report on the financial statements is expected to be included or incorporated by reference in another document that may be filed or delivered to the securities regulatory authorities.
PART 4 -- REFILED ANNUAL MD&A
4.1 Refiled annual MD&A - If the annual MD&A for a financial year is refiled but the annual financial statements for that financial year are not refiled, it will not be necessary to refile the internal control report and internal control audit report for that financial year.
PART 5 -- EXEMPTIONS
5.1 Issuers that comply with U.S. laws -
(1) The exemptions in section 7.3 of the Instrument are based on our view that the investor confidence aims of the Instrument do not justify requiring issuers to comply with the internal control report and internal control audit report requirements in the Instrument if such issuers comply with substantially similar requirements under U.S. laws, as those laws may be amended from time to time.
(2) As a condition to being exempt from the internal control report and internal control audit report requirements under section 7.3 of the Instrument, issuers must file the reports that they filed with the SEC in compliance with its rules implementing the requirements prescribed in sections 404(a) and 404(b) of the Sarbanes-Oxley Act.{10}
PART 6 -- LIABILITY FOR REPORTS CONTAINING MISREPRESENTATIONS
6.1 Liability for internal control reports containing misrepresentations -
(1) Officers providing an internal control report containing a misrepresentation potentially could be subject to quasi-criminal, administrative or civil proceedings under securities law.
(2) Officers providing an internal control report containing a misrepresentation could also potentially be subject to private actions for damages either at common law or, in Québec, under civil law, or under the Securities Act (Ontario) when amendments which create statutory civil liability for misrepresentations in continuous disclosure are proclaimed in force. The liability standard applicable to a document required to be filed with the Ontario Securities Commission, including an internal control report, will depend on whether the document is a "core" document as defined under Part XXIII.1 of the Securities Act (Ontario). Internal control reports are currently not included in the definition of "core document" but would be included in the definition of "document".
(3) In any action commenced under Part XXIII.1 of the Securities Act (Ontario) a court has the discretion to treat multiple misrepresentations having common subject matter or content as a single misrepresentation. This provision could permit a court in appropriate cases to treat a misrepresentation in an issuer's financial statements and a misrepresentation made by officers in an internal control report that relate to the underlying financial statements as a single misrepresentation.
(4) Liability for misrepresentations under Part XXIII.1 of the Securities Act (Ontario) is limited to, among others, each officer of the issuer who authorized, permitted or acquiesced in the release of the internal control report. The term "officer" is defined in the Securities Act (Ontario) to include certain persons acting in specified positions as well as persons designated as "officers" in an issuer's by-laws. Accordingly, it is possible that certain members of management that are involved in the preparation of the internal control report are not "officers" and as a result, are not exposed to liability under Part XXIII.1 of the Securities Act (Ontario) for a misrepresentation in an internal control report.
6.2 Liability for internal control audit reports containing misrepresentations -
(1) Participating audit firms providing an internal control audit report containing a misrepresentation potentially could be subject to quasi-criminal, administrative or civil proceedings under securities law.
(2) Participating audit firms providing an internal control audit report containing a misrepresentation could also potentially be subject to private actions for damages either at common law or, in Québec, under civil law, or under the Securities Act (Ontario) when amendments which create statutory civil liability for misrepresentations in continuous disclosure are proclaimed in force. The liability standard applicable to a document required to be filed with the Ontario Securities Commission, including an internal control audit report, will depend on whether the document is a "core" document as defined under Part XXIII.1 of the Securities Act (Ontario). Internal control audit reports are currently not included in the definition of "core document" but would be included in the definition of "document".
(3) In any action commenced under Part XXIII.1 of the Securities Act (Ontario) a court has the discretion to treat multiple misrepresentations having common subject matter or content as a single misrepresentation. This provision could permit a court in appropriate cases to treat a misrepresentation in an auditor's report on the financial statements and a misrepresentation in an internal control audit report that relates to the auditor's report on the financial statements as a single misrepresentation.{11}
{1} This section is derived from the "Final Rule: Management's Report on Internal Control Over Financial Reporting and Certification of Disclosure in Exchange Act Periodic Reports" issued by the SEC on June 18, 2003 (the SEC Release) -- see "C. Quarterly Evaluations of Internal Control over Financial Reporting -- 3. Final Rules".
{2} This section is derived from the SEC Release -- see "B. Management's Annual Assessment of, and Report on, the Company's Internal Control over Financial Reporting -- 3. Final Rules -- d. Method of Evaluating".
{3} This section is derived from the SEC Release -- see "B. Management's Annual Assessment of, and Report on, the Company's Internal Control over Financial Reporting -- 3. Final Rules -- d. Method of Evaluating" and the proposed CICA Standard.
{4} This section is derived from the SEC Release -- see "B. Management's Annual Assessment of, and Report on, the Company's Internal Control over Financial Reporting -- 3. Final Rules -- d. Method of Evaluating".
{5} This section is derived from the SEC Release -- see "B. Management's Annual Assessment of, and Report on, the Company's Internal Control over Financial Reporting -- 3. Final Rules -- a. Evaluation of Internal Control Over Financial Reporting" and "A. Definition of Internal Control -- 1. Proposed Rule and 3. Final Rules".
{6} This section is derived from the SEC Release -- see "B. Management's Annual Assessment of, and Report on, the Company's Internal Control over Financial Reporting -- 3. Final Rules -- d. Method of Evaluating".
{7} This section is derived from the proposed CICA Standard.
{8} This requirement is similar to requirements in federal legislation (such as the Canada Business Corporations Act and Trust and Loan Companies Act).
{9} This section is derived from the SEC Release -- see "B. Management's Annual Assessment of, and Report on, the Company's Internal Control over Financial Reporting -- 3. Final Rules -- b. Auditor Independence Issues".
{10} The provisions of this part are similar to the provisions of Part 6 of the companion policy to MI 52-109.
{11} The provisions of this part are similar to the provisions of Part 7 of the companion policy to MI 52-109.