APPENDIX C TO NOTICE AND REQUEST FOR COMMENTS
SUMMARY OF COMMENTS
Table of Contents 1. General Comments 1. General Support for the Principles Underlying the Instrument Substantially as Published 2. General Support for the Principles Underlying the Instrument with Modifications 3. General Concern Regarding the Instrument 4. Harmonization with Sarbanes-Oxley 2002 (“SOX”) 5. Distinction between Small and Large Issuers 2. Anticipated Costs and Benefits – Proposed Internal Control Materials 1. General Comments 2. Other Costs or Benefits Not Identified 3. Whether Benefits Justify the Costs 3. Alternatives Considered – Proposed Internal Control Materials 1. Alternative #1 – No Internal Control Audit Report 2. Alternative #2 – Less Prescriptive Auditing Standard 3. Alternative #3 – More Limited Scope of Application 4. Alternative #4 – Evaluation of Entity-Level Controls Only 5. Alternative #5 – Voluntary Compliance 6. Alternative #6 – Status Quo 7. Agreement with Assessment of Identified Alternatives 8. Other 4. Relationship between 52-109 and 52-111 1. General Comments 2. Distinction Between Disclosure Controls and Procedures and Internal Control Over Financial Reporting 5. Requirements Not Currently Contemplated by the Instrument 1. General Comments 6. Part 1 – Definitions, Interpretation and Application 1. Definition of “Internal Control Audit Report” 2. Definition of “Internal Control Over Financial Reporting” 3. Definition of “Material Interest” 4. Definition of “Material Weakness” 5. Definition of “Significant Deficiency” 1
6. Definition of “Variable Interest Entity” 7. Application to Issuers Exempt from 52-110 7. Part 2 – Management’s Assessment of Internal Control Over Financial Reporting 1. General Comments 2. Disclosure 3. Risk-based Approach 4. Definition of Management 5. Scope of Evaluation 6. Scope of Evaluation – Joint Ventures 7. Additional Control Frameworks 8. Additional Guidance 9. Evidence – Content 10. Evidence – Manner of Maintaining 11. Board Approval of Internal Control Report 12. Limits on Disclosure – JV, VIE, Acquired Business 13. Limits on Disclosure – JV 14. Limits on Disclosure – Other 8. Part 3 – Internal Control Audit Report 1. General Comments 2. Integrated Audit 3. Other Standards for Preparation 9. Part 5 – Delivery of Internal Control Reports and Internal Control Audit Reports 1. General Comments 10. Part 6 – Language 1. Translation 11. Part 7 – Exemptions 1. General Comments 2. Transition 3. Exemptions for Issuers that Comply with U.S. Laws 4. Exemption for Foreign Issuers 5. Exemption for Asset-Backed Securities Issuers 6. Other Classes of Exempt Issuers 12. Part 8 – Effective Date and Transition 1. General Comments 2. Appropriateness of Phased-in Implementation 3. Phased-in Implementation and Expertise 13. Revised Certification Materials 1. General Comments 2. Venture Issuer to Refile Annual Certificates 3. Timing Gap 2
4. Inability to Certify Under 52-109 5. Certification Extending to Underlying Entities 6. Treatment of Underlying Securities 7. Form of Certification for Asset-Backed Issuers 14. Other Comments 1. Drafting Comments 2. Enforcement and Compliance 3. Directors’ Liability 4. Interaction with Short Form Prospectus Rule 5. Linkage Between Corporate Governance Guidelines and Disclosure Legend: ICFR: internal control over financial reporting. DC&P: disclosure controls and procedures
3
# Theme Comments Responses 1. GENERAL COMMENTS 1. General Support Issuers After extensive review and consultation and in view of the for the Principles Eight commenters express general support for the principles underlying 52-111. Reasons delays and debate underway in the U.S. over the Sox 404 Underlying the cited include: Rules, we have determined not to proceed with proposed Instrument • improves quality and reliability of financial and other continuous disclosure Multilateral Instrument 52-111. Instead, we are proposing Substantially as documentation; to expand National Instrument 52-109 to include various Published • creates potential for improvements to business processes, improved accountability additional provisions in respect of ICFR. of process owners, and enhancement of linkages with Enterprise Risk Management; • promoting a culture that emphasizes strong internal control; • increased level of discipline and rigor around disclosure processes and providing senior management and board with a heightened degree of comfort regarding continuous disclosure processes; • benefits to issuers such as focused effort on effective and efficient ICFR, promotion of an ethical environment and clear ownership and accountability for managements’ actions; • ensures competitiveness of Canadian companies in the global market; • approach is consistent with similar provisions under SOX; and • to maintain investor confidence in our markets through an enhanced focus on ICFR and through auditor attestation requirement.
Public Accountants Six commenters express general support for the principles underlying 52-111. Reasons cited include: • focus of companies on ICFR will improve performance and reduce fraudulent financial reporting; • strong ICFR is fundamental to reliable financial and other continuous disclosure reporting; • focus will prove invaluable in restoring investing public’s confidence in reliability of financial statements; and • expands and makes more explicit auditor’s responsibilities for ICFR thereby reducing investor expectation gap.
Investors Two commenters express general support for the principles underlying 52-111 since they
4
# Theme Comments Responses address key concern areas and control points. Other Two commenters express general support for the principles underlying 52-111. Reasons cited include: • improving quality and reliability of financial reporting; • enhancing investor confidence; and • maintaining consistency with SOX requirements. 2. General Support Issuers After extensive review and consultation and in view of the for the Principles Eight commenters express general support for the principles underlying 52-111 with delays and debate underway in the U.S. over the Sox 404 Underlying the suggested modifications that include: Rules, we have determined not to proceed with proposed Instrument with • the requirement for an internal control audit report be removed from the Multilateral Instrument 52-111. Instead, we are proposing Modifications requirements of 52-111; to expand National Instrument 52-109 to include various • that the requirements not apply to smaller TSX issuers as well as TSX Venture additional provisions in respect of ICFR. The proposals issuers; recognize that ICFR is important for all issuers. We believe • advocate a cautious and measured approach, a more efficient and effective “made- the elimination of the requirement for the issuer to obtain in–Canada model” should be developed with the benefit of lessons learned from from its auditor an internal control audit opinion, as well as the U.S. experience; various other changes, allow for a more risk-based, cost-• issuers should be permitted to conduct an assessment that is not a detailed effective application of the requirements. “mechanistic, check-the-box exercise”; and • the proposed effective date should be no sooner than 24 months after the adoption of the final instrument.
Other One commenter expresses general support for the principles underlying 52-111 but only for issuers with a market capitalization of over $500 Million.
3. General Concern Eight commenters want 52-111 withdrawn. Regarding the Instrument Issuers Twenty-three commenters generally do not support 52-111. Reasons cited include: • time spent to implement and recent concerns raised by issuers should be considered to ensure that all stakeholders benefit from 52-111; • regulations would give investors a false sense of security that the controls would prevent fraud; • the very intensive work required to evaluate internal controls, may take away from
After extensive review and consultation and in view of the delays and debate underway in the U.S. over the Sox 404 Rules, we have determined not to proceed with proposed Multilateral Instrument 52-111. Instead, we are proposing to expand National Instrument 52-109 to include various additional provisions in respect of ICFR. We believe the elimination of the requirement for the issuer to obtain from its auditor an internal control audit opinion, as well as various other changes, allow for a more risk-based, cost- 5
# Theme Comments Responses a company’s efforts to ensure financial statement preparation process properly effective application of the requirements. states accurate financials of particular importance for smaller companies, as they lack the resources to perform an adequate study of controls; • U.S. and Canadian capital markets are very different yet, proposed item is almost identical; • overregulation will drive smaller companies to avoid public capital markets, resulting in reduced small cap options for investors in the future; • any marginal improvement in business ethics resulting from the requirement to report on internal controls is not justified by the significant costs of implementation; • advocates the top-down, risk-based approach to the internal review and certification process, management with their external auditors should be able to leverage the risk framework already employed in an organization to determine areas and processes that have the greatest risk of a financial misstatement; • existing CSA initiatives have already resulted in improved investor confidence (CEO/CFO certification, audit committee, corporate governance, retention of auditors subject to CPAB); • excessive focus on rules and controls will lead to an atmosphere that constrains an organization’s ability to grow and to develop business strategies; • indication that Canada does not have the infrastructure to deal with 52-111; • cautious and conservative interpretation by external auditors of materiality and likelihood, in order to protect themselves from potential litigation, is gradually distancing issuers from the traditional concept of materiality; • auditor attestation will add undue burden to the reporting and auditing effort required by public issuers in Canada; • guidance on the scope of work (use of judgment, concepts of risk and top-down approach) and use of work of others (a competent and independent audit function) to support certifications is constantly changing; • a more efficient and effective “made-in-Canada” solution should be developed with the benefit of lessons to be learned from the U.S. experience; and • CSA has a duty to provide reasonable cost-effective protection to investors in public companies, protection includes a viable, cost efficient market.
Public Accountants Five commenters generally do not support 52-111. Reasons cited include: • serious doubts that the SOX “solution” will prevent “Enronitis”-type problems in the future;
6
# Theme Comments Responses • the costs will outweigh the benefits; • that the pendulum of reform has swayed too far and increased the potential for financial statement errors as companies and professional accounting firms were already stretched to the limit; • cautioned against following the U.S. lead, rather should allow investors to decide; • supports the B.C. Commission’s proposals where full disclosure is to be made rather than implementing detailed rules proposed in 52-111; • cannot legislate morality, will merely increase the cost of capital substantially for Canadian public companies, without concomitant benefit; • need to focus on fraudulent manipulation by senior executives; and • recommend a response that recognizes the types of issuers in Canada and that does not impose an undue burden on those companies.
Lawyers Three commenters generally do not support 52-111. Reasons cited include: • there is very little benefit to the policy in its totality, and the cost, in financial and management time, completely outweighs any potential benefit; • 52-111 copies the SOX internal reporting requirements, with little thought given to the long-term effect of such policy and the actual long-term benefit to shareholders; • 52-111 does not provide guidance as to the purpose of requiring ICFR, and the expectation of the regulators as to how that purpose is to be achieved; and • balance between costs and benefits for Canada’s much smaller capital market and smaller companies is questioned.
Other Two commenters generally do not support 52-111. Reasons cited include: • the letter and spirit of these new requirements brings management’s attention to too low a level of detail; and • the cost has been much higher for smaller issuers who do not have infrastructure and resources to implement the COSO framework.
4. Harmonization Issuers with Sarbanes- Six commenters agree that 52-111 should be harmonized with SOX. Reasons cited Oxley 2002 include: (“SOX”) • given the close market ties between Canada and the U.S., harmonization of reporting standards contributes to more consistent financial reporting for users and
After careful consideration of the feedback received and recent developments internationally, particularly in the U.S., we propose to expand MI 52-109 to include the internal control requirements. As described in our Notice, issuers will not be required to obtain an internal control 7
# Theme Comments Responses streamlines the process for preparation of financial reports; and audit opinion from their auditor. • encourages the CSA to critically evaluate the experience of SOX implementation and to give consideration to adopting a unique Canadian solution.
Eleven commenters identify harmonization concerns and/or make recommendations, including: • Canadian approach should build from the SOX 404 experience which revealed lack of interpretation guidelines and risk-based approach are adversely affecting cost effectiveness; • supports two important differences from SOX 404 (exclusion of certain issuers, staggered implementation dates); • supports need to be compatible with SOX 404, however, cautions against following a “lock-step” approach in achieving comparability with the U.S. rules and standards; • wants to ensure there is a thriving market for smaller entities in the future and that regulations such as 52-111 do not cause companies to stay private; • notes differences between the financial environment in Canada and the U.S. (company size and limited access to venture capital); • develop rules and auditing standards that focus on aspects of control and reporting that are most effective at providing protection to capital markets and providing Canadian issuers with the most effective sources of assurance (cost/ benefit balance); and • ensure that harmonization reflects the principles articulated in the SEC and PCAOB May 16 th guidance. Eight commenters disagree that 52-111 should be harmonized with SOX. Reasons cited include: • need to re-orient approach to a top down, risk-based assessment approach; and • leverage the U.S. experience to improve the cost-benefit relationship, rather than impose a compulsory and compliance oriented regulatory regime with punitive undertones.
Public Accountants Three commenters agree that 52-111 should be harmonized with SOX. Reasons cited include: • having two sets of rules/processes could be hugely confusing to issuers and auditors leading to incremental increases in costs; and
8
# Theme Comments Responses • the SEC Advisory Committee on Smaller Public Companies is studying how the internal control model is to be applied to smaller companies, and their recommendations will likely alleviate some of the current concerns.
Three commenters make specific recommendations regarding harmonization: • that the CSA and OSC establish a group to review U.S. implementation guidance and endorse the views for use by Canadian reporting issuers, and to encourage the CICA to establish a similar group to assess guidance issued by the PCAOB specific to auditors; and • closely monitoring developments in the U.S. will avoid significant costs experienced with SOX 404 implementation.
One commenter disagrees that 52-111 should be harmonized with SOX. Reasons cited include: • U.S. implementation costs much higher than expected; • implementation has been overdone by its attention to detail and by not using a risk-based top-down approach; and • smaller companies will be caught by the requirement on detail and documentation which does not address the core issue of fraudulent manipulation. Other One commenter agrees that 52-111 should be harmonized with SOX. Reasons cited include: • to keep methodology development implementation costs to a minimum; and • to put Canadian business on an equal footing with American businesses. 5. Distinction Six commenters express concerns for smaller issuers: We do not propose to distinguish between non-venture between Small • in the U.S. costs were multiples of expectations and the greatest burden was on issuers and venture issuers, so issuers will have to comply and Large Issuers smaller entities; with the additional internal control requirements regardless • establishing a Canadian equivalent to the SEC Advisory Committee on Smaller of where their securities may be listed or quoted. Our Public Companies (develop “made-in-Canada” approach); and proposals recognize that ICFR is important for all reporting • recommends that the CSA and OSC use the time provided by the phased approach issuers, regardless of their size or listing. The concern of to actively investigate the smaller public company issue. small issuers was a key reason for eliminating the requirement for an internal control audit opinion. We have also included a design accommodation in our proposals. This recognizes that certain venture issuers cannot reasonably overcome all the challenges in designing ICFR and allows these issuers to disclose a reportable deficiency in their design without having to remediate it.
9
# Theme Comments Responses 2. ANTICIPATED COSTS AND BENEFITS – PROPOSED INTERNAL CONTROL MATERIALS 1. General One commenter notes that commentary from various U.S. public issuers, including those at We believe that elimination of the requirement for the Comments the SEC Roundtable on May 10, 2006, have indicated that U.S. issuers have spent an issuer to obtain from its auditor an internal control audit average of 0.5% (larger companies) to 2.5% (smaller companies) of their revenues in opinion concerning management’s assessment of the complying with SOX attestation rules. As Canadian issuers have a smaller market cap, it effectiveness of ICFR will address some of the cost appears that there will be an even higher cost for Canadian issuers. These high costs are concerns experienced in the U.S. not justified.
One commenter refers to a survey conducted at Policy Forum 2005 held on May 26, 2005 by the CICA and the Institute of Corporate Directors where 80% of participants indicated that in “Year 1” of SOX 404 compliance, they expected the costs to exceed the improvement or benefit in the disclosure or control processes. Even in the second year, 2/3 of those surveyed indicated that there was no clear benefit which would outweigh the costs.
One commenter notes that, as a “small” U.S. company is much larger than most companies on the TSX, companies with less than a $500 million market cap will have a more difficult and costly process.
2. Other Costs or Issuers We believe that the proposed revisions to National Benefits Not Eight commenters note various costs and concerns, including: Instrument 52-109 adequately address the additional Identified • impairment of the competitiveness of our capital market as an additional cost concerns raised while attempting to realize the maximum burden (compared to the UK that has less regulation); benefits. • redirection of capital from growing smaller Canadian enterprises to compliance costs for which there is no demonstrated benefit; • issuers are spending disproportionate amount of resources to meet new compliance initiatives, affecting issuers’ ability to spend on profit generating investments in growth initiatives; • may take away time management would normally devote to strategic sales and business development; • an increase in the external audit fees, audit related services, and consulting costs to prepare for SOX 404; • estimates would likely be significantly higher (than the Charles River estimates) given the increased demand for auditors and the rising costs to execute SOX 404; and • hidden costs may include staff hiring requirements, increased salary levels, management focus on internal controls rather than strategic management of the organization, and external audit firms staffing challenges.
10
# Theme Comments Responses Two commenters note that an advantage is the creation of structured risk and control documentation which should reduce the risk related to turnover rate and facilitate staff succession and training.
Public Accountants One commenter encourages the exercise of caution when examining the U.S. experience because of regulatory staff increases, legal costs of litigation arising from these requirements (regulatory, civil) and the diversion of talent to these requirements when it could be used for better purposes.
Three commenters note additional benefits of 52-111 and the Sox 404 Rules, including: • increased awareness and skills of company personnel to assess risks and implement controls to mitigate those risks; • will lead to a lower cost of borrowing and reduced litigation risk for larger public companies; • upgraded membership of board of directors and audit committee; • positive impact on company-wide or entity-wide controls; and • improved financial statement close process. One commenter notes the following considerations when examining the U.S. experience: • existing weaknesses in corporate practice; • time crunch caused by underestimating the size of the projects and the delays in making appropriate plans and taking timely actions; • unclear expectations of management and auditors (a lot of the guidance did not get published until late in the year); • one time cost investments (e.g. documentation of systems); and • the scarcity of expertise. One commenter notes that quantitative analysis is incomplete because of significant assumptions that must be made and difficulty quantifying benefits. The following cannot be easily quantified: cost of internal control failures, related impact on cost of capital and benefits to investors, the increased ability of issuers to produce reliable financial statements without significant audit adjustments given management has assessed and remediated their ICFR. 3. Whether Benefits Issuers We believe the proposed additional internal control Justify the Costs Two commenters believe that the benefits will justify the costs. However, the position is reporting requirements will contribute towards achieving contingent on application of proposed rules in a cost effective and responsible manner that our objectives while balancing the associated costs and 11
# Theme Comments takes into account the commercial and business imperatives of the issuer. Nineteen commenters indicate that the benefits will not justify the costs. Reasons cited include: • competent controlled system audits will not result simply by requiring that they be performed; • costs will be disproportionately higher for smaller companies and those with complex or decentralized operations; • the non-quantifiable benefits from 52-111 do not justify imposing such a cost burden on shareholders of these small issuers for the sake of harmonization; • support found in the modest number of material weaknesses reported under the SOX 404 Rules; • auditor review and reporting represents an unnecessary duplication of effort and cost; and • will not provide any material benefit to stakeholders of public companies beyond what will be achieved by 52-109.
Public Accountants Two commenters contend that the benefits will not justify the costs of compliance.
Five commenters indicate that the benefits will likely outweigh the costs in the long-term. Factors referred to include: • likely be two more years before there is sufficient stability in issuers’ and auditors’ processes to enable a fair assessment; and • costs are expected to be lower when Canadian companies implement 52-111, as issuers learn from U.S. experience and audit firms develop an improved integrated audit methodology.
One commenter supports measuring costs and benefits, but believes that any conclusion will have to be largely a judgmental determination made by the securities commissions in light of proposed objectives.
Lawyers One commenter contends that the costs will completely outweigh the benefits, that 52-111 is unnecessary and not cost-effective. Commenter represents the perspective of junior companies and smaller TSX issuers with a market cap below $250 million.
12
Responses benefits. To minimize the costs of implementing the proposed internal control reporting requirements, we have eliminated the requirement that an issuer obtain from its auditors an internal control audit opinion. We have also provided guidance for management which should assist management in avoiding undue costs of implementation for issuers of all sizes. Further, our proposals include a design accommodation. This recognizes that certain venture issuers cannot reasonably overcome all the challenges in designing ICFR and allows these issuers to disclose a reportable deficiency in their design without having to remediate it.
# Theme Comments Responses One commenter recommends that Canada achieve a better balance between costs and benefits. Less convinced that 52-111 is appropriate for Canada’s much smaller capital market and much smaller public companies.
Other One commenter recommends alternative approach to ensure costs are reasonable for small companies and do not deter them from adopting risk management principles.
One commenter contends that without proper guidance and implementation of the regulations, costs quickly begin to erode the potential benefits.
One commenter notes that long-term benefits will probably justify the costs involved but in the short term, the cost benefit balance will be much more challenging (cites IIA research).
One commenter contends that the costs do not justify the benefits. Reasons cited include: • many private companies will delay or defer going public based on the excessive costs and other issues driven by these requirements; and • additional audit costs could result in a significant reduction in market capitalization, detrimental to shareholder value.
3. ALTERNATIVES CONSIDERED – PROPOSED INTERNAL CONTROL MATERIALS 1. Alternative #1 – Twelve commenters oppose the auditor attestation requirement. Reasons cited include: We agree and have eliminated the requirement for the No Internal • additional costs associated with layering yet another audit requirement on issuers issuer to obtain from its auditor an internal control audit Control Audit would not be justified with any perceived or actual increased benefit to investors; opinion. The board of directors and its audit committee, in Report • requirement will do more to hinder than promote timely and accurate reporting; consultation with the certifying officers, may choose to • existing regulations are sufficient to govern corporate internal control practices of consider whether they wish to engage the issuer’s auditor to small companies; assist in discharging their respective responsibilities for the • concern over auditor attestation is particularly acute for smaller issuers; issuer’s ICFR and review and approval of the issuer’s • existing requirements in 52-109 are sufficient to provide the requisite assurances annual MD&A. We have also provided additional guidance for investors that accurate and timely financial information is being disseminated that should help issuers apply a top-down, risk-based and that senior management has instituted internal control processes and fostered approach. an attitude of open, timely disclosure of all material information; • issuers not required to comply with Sox 302 and 404 Rules would provide only the CEO/CFO certifications; marketplace should decide whether there is any added value in having issuers go through an internal control attestation process;
13
# Theme Comments Responses • management should decide on the nature and extent of any audit work on the internal control certification that is appropriate in the circumstances; • sufficient to have a brief paragraph in the MD&A or financials, setting out steps that management has taken and their comments on its overall effectiveness; and • similar wording in the financial statement certificates would also provide greater comfort to the regulators.
One commenter suggests that the capital markets would be adequately protected by a combination of: • management’s report and evaluation of ICFR; and • an external opinion on management’s process to arrive at its self-assessment. One commenter recommends a model including alternatives #1 and #4. Reasons cited include: • would reduce costs to acceptable levels yet still provide a reasonably high level of comfort to investors; and • takes into account that the major financial reporting frauds have been committed top-down. Auditor attestation should not be required because auditor involvement has contributed significantly to the cost-benefit mismatch. Auditors legitimately fear second-guessing by regulators and auditing oversight bodies and have been unwilling to apply professional judgment, leading to overkill in the internal control auditing process. Auditor’s role should be restricted to providing negative assurance on management’s report on internal control (similar to MD&A review).
One commenter recommends waiving the requirement for an internal control audit report in the first year of adoption. This would enhance focus on ICFR and would lower compliance costs.
2. Alternative #2 – One commenter recommends less guidance for issuers and more guidance for auditors who Less Prescriptive should be permitted and encouraged to apply professional judgment in their audits. Auditing Standard 3. Alternative #3 – Eleven commenters agree with the scope of application. More Limited Scope of Four commenters disagree with scope of application, reasons cited include: Application • compliance should be limited to issuers that because of size, type of business and number of employees rely extensively on internal controls;
14
As noted above, we have eliminated the requirement for the issuer to obtain from their auditor an internal control audit opinion. We do not propose to distinguish between non-venture issuers and venture issuers, with the result that issuers will have to comply with the additional internal control requirements regardless of where their securities may be listed or quoted. Our proposals recognize that ICFR is important for all reporting issuers, regardless of their size or
# Theme Comments Responses • should apply to future large cap venture issuers; listing. The concern of small issuers was a key reason for • requirements should only apply to the largest issuers; eliminating the requirement for an internal control audit • costs of compliance are disproportionately higher for smaller companies; and opinion and as a result of the change. We have also • rules do not recognize that some entity-level controls and auditing procedures are included a design accommodation in our proposals. This particularly effective at determining the reliability of financial reporting in smaller recognizes that certain venture issuers cannot reasonably enterprises. overcome all the challenges in designing ICFR and allows these issuers to disclose a reportable deficiency in their Four commenters make recommendations on the scope of application, which include: design without having to remediate it. • application to future large cap criteria in year after meeting large cap criteria (certification of design effectiveness, followed by certification of operating effectiveness); • application to venture issuers in the longer term to reap benefits of internal control reporting; • companies listed on the equivalent of the venture exchange in other countries, that are not SEC issuers, should not be subject to 52-111; and • extending exemption to include non-venture issuers with market capitalization of less than $75 million (cost-benefit equation is much harder to demonstrate).
Nine commenters disagree with the exemption for venture issuers. Reasons cited include: • all issuers should be required to disclose known material weaknesses in their ICFR, and disclose fraud, whether or not material, that involves management or other employees who have a significant role in issuer’s ICFR; • there should not be a difference in disclosures of material weaknesses known to management, the external auditors or the directors; • will lead to further “ghettoization” of small issuers and that variation is not good for investors, issuers, or general perception of Canadian markets; • 52-109 applies to venture issuers, therefore CEOs and CFOs will be required to acknowledge responsibility for ICFR and certify that they have designed such controls; • goal to improve investor confidence and enhance the quality and reliability of financial disclosure is lost; and • venture issuers can be at a high risk of weaker controls over financial reporting. One commenter disagrees with exemption for investment funds. Reasons cited include: • investment funds are widely held by consumers who are outsourcing investment to professional fund managers; • investors could be largely unsophisticated and deserving of additional care; and 15
# Theme Comments Responses • if income trusts are considered investment funds, widespread conversion into income trusts means exemption would apply even though underlying control risks remain the same for corporations.
Six commenters stated their views on minimum market capitalization thresholds for We believe that governance issues respecting investment application. The views cited include: funds give rise to unique concerns, and thus are beyond the • the benefits do not justify the costs of compliance for market capitalization below scope of this project. $75 million. • larger companies have a broader scope for error, therefore consider a market cap of $100 million or more; • not in favour of a lower ‘cap’ since the majority of companies, let alone TSX-V juniors, cannot afford the financial burden of 52-111; • application of 52-111 should be limited to the largest (market cap exceeding $500 million) issuers and agrees with exemption for venture issuers; • set a market cap of $1 billion. Solution would capture majority of marketplace and recognize differences between Canadian and U.S. markets; and • limiting application to issuers with market cap of $500 million or more. This would address 92% of market value traded and spares 2/3 of issuers the disproportionate expense of full compliance by their companies.
One commenter argues that 52-111 should not apply to subsidiary issuers which do not have equity securities trading on a marketplace and whose parent company is subject to and complies with 52-111 (parallel 52-110 and 58-101).
One commenter recommends that venture issuers report on overall corporate governance approach, ethics guidelines and oversight of financial reporting.
One commenter recommends clarifying whether 52-111 only applies to issuers with listed equity securities (Section 1.2 and Part 7).
4. Alternative #4 – Five commenters support ELC. Reasons cited include: Evaluation of • could save a mandatory diversion of effort to focus on essential corporate Entity-Level controls; Controls (ELC) • an adequate level of assurance can be achieved, particularly if coupled with a Only focus on strong corporate governance and robust enforcement procedures; • ELC can be part of a top-down risk-based approach; and • ELC can be used as a risk assessment filter to identify which accounts and
We believe that the evaluation of ELC only would not result in an assessment that achieves our objective of improving the reliability and transparency of financial reporting. Although ELCs are important components of ICFR that should be evaluated, we believe that a further evaluation of the underlying controls over financial reporting from a risk-based perspective is needed for an issuer’s management to increase its focus on, and 16
# Theme Comments Responses processes pose the most risk. accountability for, the quality of financial reporting. One commenter recommends requiring management to evaluate ELCs relating to financial reporting as at financial year end and requiring the issuer to file a report of management that assessment of such controls aligns with its ethics, code of conduct and “tone at the top”.
One commenter recommends that this alternative be implemented at little cost for a five year trial period. Reporting on ICFR should remain voluntary for Canadian reporting issuers for this trial period.
One commenter notes that an alternative would be to focus the external audit on higher risk areas such as ELCs. Notes that within many issuers there is a commonly held view that ELCs are most significant in protecting the capital markets, and cynicism that so much of the effort required to fulfill the rules becomes focused on the relatively less significant process level controls.
5. Alternative #5 – One commenter rejected this alternative. Voluntary Compliance 6. Alternative #6 – One commenter rejected this alternative. Status Quo 7. Agreement with Six commenters generally agree with CSA’s assessment of identified alternatives. Reasons Assessment of cited include: Identified • U.S. rules coupled with recent SEC and PCAOB guidance create an effective Alternatives model if embraced by the regulators, standard setters, public companies & independent auditors; and • decision not to adopt formal reporting over ICFR with auditor attestation could create negative and unfair perceptions by investors, rating agencies and foreign regulators about the quality of management and governance in Canadian companies.
One commenter notes that the list of alternatives is reasonable. However, consideration
17
We believe that ICFR is important for all reporting issuers, regardless of size or listing. Therefore, all issuers will have to comply with the additional internal control reporting requirements regardless of where their securities may be listed or quoted. We believe that ICFR is important for all reporting issuers, regardless of size or listing. Therefore, all issuers will have to comply with the additional internal control reporting requirements regardless of where their securities may be listed or quoted. We acknowledge these comments and in light of recent events, comments received, and various consultations, we have decided not to require issuers to obtain from their auditors an internal control audit opinion. Instead, we are proposing to require issuers to describe their process for evaluating the effectiveness of ICFR.
# Theme Comments Responses should be given to a combination of alternatives such as combining the status quo with voluntary or entity-level compliance to allow issuers discretion based on particular priorities.
One commenter disagrees with the assessment of identified alternatives. 8. Other One commenter notes that given the objective of improving reputation of the Canadian Our current proposals require issuers to disclose any market, disclosure of additional control related information including disclosure of changes in ICFR during the reporting period that materially remediation plans should be considered. Disclosure by venture issuers of known material affect ICFR and information about an issuer’s remediation weaknesses in ICFR and of any known fraud, whether or not material, involving plans, if any. management or other employees who have a significant role in the issuer’s ICFR is consistent with this objective and should be required.
One commenter recommends that management be required to implement policies and We believe our proposals will result in an overall procedures to enhance the overall control environment. Approach will be specific dealing enhancement of the control environment. with the broader control environment/culture issues helping to enhance investor confidence.
One commenter proposes that 52-111 be changed to allow all issuers or at least those under Although we do not agree that the adoption of “standard” a certain size, to disclose those “standard” internal controls they have chosen NOT to adopt internal controls should be optional, we recognize that and say why and what they do instead. The exemption should apply for one year. certain venture issuers cannot reasonably overcome all the challenges in designing ICFR. Our proposals allow these issuers to disclose a reportable deficiency in their design without having to remediate it.
One commenter calls for a new proposal based on the following principles: After extensive review and consultation, we have • top-down risk-based approach; determined that we will not require the issuer to obtain from • greater emphasis on entity controls; its auditor an internal control audit opinion, but leave the • further staging delay to permit U.S. experiences to be solidified and to recognize engagement of the auditors to the discretion of the board the current U.S. timetables for foreign private issuers; and and/or audit committee. We have also provided additional • staging for smaller entities to accommodate additional work being done on control guidance that should help issuers apply a top-down, risk-framework for smaller entities. based approach. One commenter notes that interpretations are very broad and significantly impact the levels of documentation requirements. Suggestions include: • enhance and be more specific on the requirements for and reliance on company level controls; • clarify testing requirements for low risk but material processes; 18
# Theme Comments Responses • introduce a measurement for the promotion of an ethical environment; • training in the areas of ethics and ethics policies, financial reporting and entity governance should be a top priority from the entry level employee to the board of directors; and • implementation of an ethics hotline that is safe and confidential to use. One commenter supports the U.K. framework (put forward by Ken Rushton). Believes that the U.K. framework and a less rule-based policy, which gives companies flexibility to modify such policies based on their size and requirements, is the only workable solution if internal controls are ‘deemed’ necessary for political reasons.
One commenter recommends a top-down, risk-based approach, using sound professional judgment to improve financial reporting and balance of costs and benefits. Assurances of fair treatment at the outset will help increase the comfort level of Ontario-based auditors in the absence of protective legislation found in other jurisdictions.
One commenter proposes the following process to evaluate and test key internal controls: • include assessment of key controls that should be in place for the specific company in the financial statement audit; • auditors to provide management and the audit committee with their assessments; • incumbent on the audit committee to act on these recommendations as part of their corporate governance; and • CEO and CFO would review results in their assessments regarding the accuracy of the financial statements.
One commenter proposes that an issuer be allowed to opt out of 52-111 with the express approval of a majority of shareholders. This opt out process could be required to be repeated not less than every three years and should be prominently disclosed.
4. RELATIONSHIP BETWEEN 52-109 AND 52-111 1. General One commenter makes recommendations regarding the relationship between 52-109 and We acknowledge the comments. Comments 52-111: • there are substantive and meaningful penalties for not maintaining effective disclosure controls and ICFR; and • CICA Corporate Performance Reporting Board with the CSA develops guidance 19
# Theme Comments Responses for a separate section of the MD&A dealing with the various disclosures related to both disclosure control and ICFR.
2. Distinction Six commenters note overlap between DC&P and ICFR. We have considered the overlap between DC&P and ICFR Between DC&P and we believe our proposals address concerns relating to and ICFR the overlap. 5. REQUIREMENTS NOT CURRENTLY CONTEMPLATED BY THE INSTRUMENT 1. General Two commenters make the following recommendations: We acknowledge the comments but have decided that Comments • the CSA and OSC launch (or encourage SEC) study on DC&P to develop design of ICFR is best left to the judgment of certifying guidance around what is a desirable control structure; officers, acting reasonably, based on factors that may be • the CSA and OSC undertake to provide guidance on the role of audit committees particular to the issuer and that we will not mandate the use in an audit of ICFR; of a particular control framework. • audit committee to review the management report over ICFR and propose to the board for approval or CSA should clarify (amendment to 52-108); and Based on the proposals, the issuer’s MD&A is required to • clarify role of audit committee and board of directors (separate oversight include conclusions about the effectiveness of ICFR, the responsibilities for certification process and ICFR). control framework used, if any, the process for evaluating the effectiveness of ICFR and any reportable deficiencies. One commenter questions whether the audit committee should review the internal control The issuer’s MD&A is required to be approved by the report and make a recommendation to the board as to whether or not the board should board of directors and audit committee before being filed in approve the report. accordance with existing continuous disclosure and audit committee rules. 6. PART 1 – DEFINITIONS, INTERPRETATION AND APPLICATION 1. Definition of One commenter notes that the definition includes a report that “states that an opinion The term is no longer used because issuers will not be “Internal Control cannot be expressed”. Consideration should be given whether issuers should be allowed to required to obtain an internal control audit opinion from Audit Report” file a denial of opinion. their auditor. 2. Definition of One commenter recommended that the words “policies and procedures that” should be We have made this change in paragraphs (b) and (c) of the “Internal Control replaced by “policies and procedures that are designed to”. definition. Over Financial Reporting” 3. Definition of One commenter notes “material interest” is not defined. We do not believe that material interest needs to be defined. “Material Interest”
20
# Theme Comments 4. Definition of Two commenters make the following recommendations regarding the definition of material “Material weakness: Weakness” • clarify that if a reporting issuer has a material weakness in ICFR that they would conclude that internal control is ineffective; and • including definition of “material weakness” rather than reference to the auditing standard.
One commenter notes that using the attestation standard set out by the CICA would set the reliability of financial reporting and the preparation of standard so high that it would ultimately be unmet (costs outweigh benefits). This financial statements for external purposes in accordance standard’s definition of material weakness is unrealistic. with the issuer’s GAAP. One commenter notes that casting the test as “more than a remote likelihood” will result in matters being treated as material weaknesses even though a reasonable person would think that the risk of a misstatement occurring is not material.
5. Definition of Three commenters raise points regarding the definition of “significant deficiency”, which “Significant deficiency” is no longer used and has been “Significant include: replaced with the concept of “reportable deficiency” Deficiency” • recommend a definition of “significant deficiency” rather than reference to the discussed above. auditing standard; • query the definitional concern regarding significant deficiency; and • recommend additional guidance on what constitutes a “significant deficiency” and how to apply materiality when it relates to internal control reporting and extent of coverage required (check box approach is not helpful).
6. Definition of One commenter suggests that a definition of “variable interest entity” be added to the rule. We have defined “variable interest entity” to have the “Variable Interest meaning ascribed to the term under the issuer’s GAAP. Entity” 7. Application to One issuer and two lawyers suggest that subsidiary entities should also be exempt from 52- We continue to believe controls over subsidiaries that are Issuers Exempt 111 if they meet the requirements set out in 52-110 (s. 1.2(e)). consolidated are relevant since the subsidiary entities have a from 52-110 risk profile that is different from the issuer. 7. PART 2 - MANAGEMENT’S ASSESSMENT OF INTERNAL CONTROL OVER FINANCIAL REPORTING 1. General One commenter suggests that 52-111 or the 52-111CP should contain a clear statement as We continue to believe that certifying officers, acting Comments to when management cannot conclude that ICFR is effective. Reasons cited include: reasonably, should determine if there is a reportable • SOX 404 Rules state management cannot conclude that ICFR is effective if there deficiency in ICFR. We have included additional guidance are any material weaknesses; and in the companion policy regarding the evaluation of ICFR. 21
Responses “Material weakness” is no longer used and has been replaced with the concept of a “reportable deficiency”. A reportable deficiency is a deficiency, or combination of deficiencies, in the design or operation of one or more controls that would cause a reasonable person to doubt that the design or operation of internal control over financial reporting provides reasonable assurance regarding the
# Theme Comments Responses • although the CICA Standard prohibits an auditor from concluding ICFR is effective if there are any material weaknesses, 52-111 and 52-111CP lack a similar statement for management’s assessment.
Four commenters support requirement that management certify the effectiveness of ICFR. We acknowledge that certifying officers should evaluate the Reasons cited include: effectiveness of ICFR and disclose their conclusions, • management should be required to publicly report on all internal controls (entity describe the process used in their evaluation and disclose and bottom level); any reportable deficiencies. • internal auditing can contribute significantly to an organization’s efforts to improve ICFR; and • internal auditor should support management in carrying out its responsibilities but not take on management’s responsibilities for documenting controls or implementing systems of internal controls.
2. Disclosure One commenter agrees that all issuers identified in 52-111 should be required to prepare the internal control report. Three commenters disagree with requiring management to prepare an internal control report. Reasons cited include: • it will be fruitless to perform a financial reporting control check when the crucial decisions are made by a small group who can circumvent financial reporting; • certification by CEOs and CFOs is more than adequate; • concern over criminal responsibility of a CEO or CFO for something beyond their professional training (i.e. engineer); and • disclosure of weaknesses identified should only be reported internally to the audit committee and the external auditors.
One commenter expresses concerns over the internal control report. Reasons cited: • letter and spirit of requirements brings management’s attention to too low a level of detail; • few executives can be effective evaluators of ICFR if emphasis is on control procedures; and • ‘information technology general controls’ (52-111CP 2.3(2)(e)) and ‘control over procedures used to enter transaction totals’ (52-111CP 2.3(2)(f)) are items on which management can only take the word of associates.
One commenter notes that the management report required by Accounting Guideline 7 The
22
We have determined not to proceed with an internal control report. Instead, we propose to require that issuers disclose their conclusions about the effectiveness of ICFR in their annual MD&A. To achieve our objective of transparency in financial reporting, we believe identified reportable deficiencies should be disclosed publicly, including any changes made to ICFR which may have been made in response to previously identified reportable deficiencies. We further believe that the potential market reaction by investors to reportable deficiency disclosure will increase management’s focus on ICFR.
# Theme Comments Responses Management Report has become a perfunctory piece of disclosure, not subjected to any formal audit requirement or governance review and is not supported by any standardized or consistent assessment or evaluation of internal controls to support the statements made in such reports.
One commenter recommends that management’s annual report be filed as a separate document. Reasons cited include: • 52-109 contemplates that statements of effectiveness of DC&P and management’s report on effectiveness of ICFR would be included in the MD&A; and • to maintain consistency with SEC’s flexible approach. 3. Risk-based One commenter recommends that only internal controls considered primary should warrant We believe an evaluation of the effectiveness of ICFR approach documentation, assessment, and testing. Assessment and testing of ICFR should focus should take into account the particular risks of the issuer. more on acceptability of residual risk as opposed to inferring an absolute state of We have also provided additional guidance that should help effectiveness. issuers apply a top-down, risk-based approach. One commenter expresses concern that the requirements in 2.5(3) of 52-111 will cause an inordinate amount of work to be done within a relatively short period of time.
One commenter advocates risk-based approach to process controls. Refers to the SEC and PCAOB May 16 th guidance, commenter believes more reliance should be placed on: • company level controls; • a risk-based approach to process and control identification and testing; and • a focus on an “ethical environment”. The commenter also notes that the application of associated testing of SOX 404 and 52-111 should be based on an assessment of risk and not a quantitative only approach. 52-111 guidance should build on SEC May 16 th SOX 404 interpretations and where possible, provide additional guidance to allow for an effective and efficient application.
4. Definition of Nine commenters agree that a definition of management is not required. The term “management” is no longer used. Requirements Management for certification relate to each “certifying officer”, which is defined in the instrument. Three commenters recommend a definition of management be included or guidance be provided.
5. Scope of Four commenters agree with the scope of evaluation and recommend consideration of the Evaluation following: • contemplation of unusual circumstances and provide the equivalent of a BAR
We acknowledge the comments and have included discussion in our guidance about the use of a top-down, risk-based approach and the importance of an effective 23
# Theme Comments Responses with less than 75 days for an acquisition; control environment. • ordering of s. 2.3(2) of 52-111CP as emphasis is fundamental to the “top-down” approach recommended by the SEC and PCAOB; • guidance in s. 2.3 of 52-111CP is complete, however, recent guidance suggests that controls that have a pervasive impact (i.e. control environment) should be considered first; and • nature and extent of evaluation (management and auditor) should be based on assessment of inherent risk.
Two commenters recommend emphasis on top-down, risk-based approach to the internal review and certification process. Reasons cited include: • guidelines in the CP with respect to scope of evaluation of ICFR are not adequate; • provision of “reasonable” assurance and which approach allows use of a reasonable person’s judgment having regard to the size and nature of operations of the issuer and the risks associated with such issuer; • only material risks should be the focus of attestation; and • management with their auditors should be able to leverage the risk framework already employed in an organization to determine areas and processes that have the greatest risk of a financial misstatement.
Four commenters express the following concerns regarding the scope of evaluation: • enquiry is referred to only briefly (52-111CP 2.3(3)); • management can only take the word of associates on IT general controls (52-111CP 2.3(2)(e)) and control over procedures used to enter transaction totals (52-111CP 2.3(2)(f)); • companies have been compelled by their audit firms to document and assess controls at a very detailed level which resulted in spending a disproportionately high level of resources to document low impact and low risk processes; • audit firms have required management to attain coverage with less regard to risk (i.e. perceived “requirement” to obtain at least 80% coverage across significant accounts); • queries how an internal or external auditor would be able to practically assess the ethical stance of senior management and/or the board of directors; • scope of evaluation in 52-111 is similar to PCAOB AS 2, point 40 - it is vague on significant account and does not include controversial aspects such as assessing the likelihood of a deficiency, determining the entities to cover and the use of work of internal audit;
24
# Theme Comments Responses • brief description will not make it possible to adequately restrict scope of work recommended by external audit firms when interpreting the more detailed recommendations of the PCAOB; • issuers will face the same difficulties (as in the U.S.) if an effort is not made to more precisely define materiality, scope of work, and the use of work of the internal audit function to support certificates; and • in the banking industry the single concept of materiality, calculated using a percentage of pre-tax net earnings, results in coverage in excess of 80% for all balance sheet items and coverage in excess of 99% for 75% of items (due to the lack of precision in the scope of evaluation and the conservative stance adopted by external audit firms).
Three commenters recommend that more emphasis should be placed on entity-level controls in financial reporting and disclosure. Reasons cited: • approach will direct management and auditor efforts to a more risk-based approach and reliance on company level controls which are more difficult to test; • implementation and ongoing compliance costs including consulting and auditing costs could be reduced; • company level controls and risk based approach are essential to 52-111 being implemented in an effective and efficient manner; • more time needs to be spent on reliance on tone at the top and assessing and testing financial statement impacting processes based on risk by management that can be relied on by the company’s auditor; and • scoping should not be done by formula, but should be risk-based and not based on arbitrary mandated percentages (professional judgment).
Six commenters make various recommendations regarding the scope of evaluation, which include: • 52-111 should allow management and audit firms to use professional judgment in determining scope and coverage; • guidance on the level of coverage necessary to support assessment by management of the effectiveness of the issuers ICFR; • clarification on implementation of requirements, the level of documentation, assessment and testing of controls over financial reporting throughout an organization and how to effectively utilize a risk based approach with more reliance on entity level controls; • clearly defining “all significant accounts … in the financial statements” in the 52- 25
# Theme Comments Responses 111CP; and • additional guidance regarding industry-specific entities. One commenter recommends more guidance on tone at the top and recommends several factors to consider which include: • transparency; • establishing a reward and compensation system that does not discourage people to manipulate short term results to obtain their bonuses; and • listening to what everyone in the organization has to say. One commenter recommends CSA affirm focus on top-down, risk-based approach to the evaluation of ICFR. Reasons cited include: • ensures effort and resources are directed to right areas in proportion to risk; • leads to focus on most significant issues which will yield greater net benefits and to a more efficient and effective compliance process; and • ensures a sharper focus when determining nature and extent of process documentation, selecting controls to evaluate and test the nature, timing and extent of controls testing.
One commenter is concerned that there is insufficient guidance regarding the scope of internal control evaluation for smaller TSX issuers (those issuers with limited formal structures for internal control over financial reporting).
One commenter supports management certification of internal controls, if it is based on a risk-based, and not absolute, approach to the assessment of controls.
6. Scope of One commenter requests deleting s. 2.6 of 52-111. Reasons cited include: We agree and have provided a scope limitation from the Evaluation – Joint • the oil and gas industry is based on reliance on an operator’s processes for JV and requirement to design DC&P and ICFR extending into the Ventures partnerships; JV if the scope limitation is appropriately disclosed in the • it is inappropriate for regulators to interfere with the business negotiations and annual MD&A. industry practice; and • investors should derive comfort from the certifications and attestations of the operator without forcing JV partners to replicate the oversight already undertaken by the operator.
7. Additional Four commenters note that they are not aware of any additional established frameworks. Control
Certifying officers are not required to design ICFR using a control framework or evaluate the effectiveness of ICFR 26
# Theme Comments Responses Frameworks One commenter notes that outlined frameworks present solid foundations and will be against a control framework. However, control frameworks appropriate in many circumstances. may provide a useful tool for organizing the evaluation. On July 11, 2006, COSO published guidance for applying the One commenter notes that s. 2.4(4) of the 52-111CP indicates that 52-111 does not COSO framework to smaller companies. In addition to the encompass elements of control frameworks relating to operational or compliance concerns control frameworks previously identified, the Control “with the exception of compliance with applicable laws …” If comment remains, note that Objectives for Information and Related Technology ICFR may achieve multiple control objectives. Framework (COBIT) published by the IT Governance Institute may be a useful tool for applying a control framework to the issuer’s information technology systems. Ten commenters make various recommendations regarding the development and identification of appropriate frameworks, which include: • industry or similar organizations should be asked to develop frameworks using diverse taskforces; • there should be an identified framework that is constructed with the specific nature of smaller issuers in mind and compliance should be deferred for small TSX issuers until a suitable framework is identified (i.e. COSO); • a reference was made to a report written with W.A. Bradshaw for the CICA in 1991 regarding the assessment of management control; • should identify suitable IT control frameworks (i.e. COBIT) because the required controls include IT controls; • recommend adding the anticipated COSO framework for smaller issuers; • COSO, CoCo and Turnbull should be the only acceptable standards; • a comprehensive review of CoCo and COSO should be considered as complexity of business and internal controls has evolved since frameworks were developed; and • recommend adapting traditional internal control models to smaller issuers. One commenter believes it is inappropriate to determine the control frameworks that should be identified in an internal attestation policy.
8. Additional One commenter submits the following recommendations to avoid the consequences Guidance resulting from the interpretation and implementation of SOX 302: • require that registrants and auditors focus on the acceptability of residual risk; • retain the requirement to develop and maintain control design documentation; • require companies update control design documentation quarterly; • provide flexibility to management to determine level of control testing necessary to support its assessment conclusion; and
We have considered the comments and have provided some additional high-level guidance. We believe that the approach certifying officers take in designing and evaluating ICFR should be left to their judgment, acting reasonably, so we have limited the amount of guidance to allow for flexibility. We anticipate that industry-specific guidance and practices will develop. 27
# Theme Comments Responses • provide guidance for management on how to assess and report on control effectiveness.
Five commenters indicate that issuers and/or auditors would welcome the following further guidance: • guidance for the application of control frameworks; • guidance for management on testing of controls, scope of documentation, how entity level controls affect the nature, timing and extent of transaction level tests of controls, and to what extent management may rely on is entity level controls as a basis for its assertions; • guidance to assist management in moving from a “limited formal structure” to effective ICFR to minimize compliance costs; • when sufficient documentation and an appropriate body of knowledge exist to support conclusion on effectiveness of ICFR; and • clarifying what constitutes “effective internal control” and “reasonable assurance.”
One commenter recommends that a committee be established in Canada to address the concerns of smaller public companies that are unique to the Canadian business environment.
One commenter recommends the following implementation and application guidance: • focus companies on entity-wide risk using a “top-down”, risk-based approach to plan and set priorities for the evaluation exercise; and • guidance on issuers’ best practices will create consistency in approach taken by all companies and reduce uncertainty for expectations of Canadian regulators.
One commenter recommends further guidance concerning entity level controls, risk assessment and application to smaller companies. Guidance should address: • disclosure controls and ICFR; • requirement for a “scope” paragraph in the management report on ICFR describing nature and extent of assessment of ICFR and types of procedures performed to evaluate and test internal controls; • recognition that there can be differences in the scope of work performed by management and auditor (audit efficiencies/costs and competency/objectivity of client personnel); and • explicit requirement that management perform a meaningful assessment, 28
# Theme Comments Responses regardless of the control framework utilized in their assessment, of inherent risk for both disclosure controls and ICFR before evaluation and testing is performed.
Nature and extent of evaluation should be based on assessment of inherent risk so that the majority of testing performed is focused on controls over specific risks or high risk areas. Areas of high risk include recording of transactions or events that are not subject to a formal structured process (manual entries, non-routine/non-systematic transactions) and accounting estimates requiring high degree of judgment.
Six commenters recommend additional guidance for management in the following areas: • stressing importance of qualitative factors to balance out quantitative criteria, resulting in resources being devoted to more risky areas; • 52-111 should make reference to the documents the financial market authorities deem pertinent regarding COSO and COBIT; • how to assess effectiveness of ICFR, alternatively outline that management can adopt standards and guidance followed by auditors (consider application to management); • a more defined view of what “top-down” approach means and how it can be aligned to the auditors’ approach; • what reliance can be placed on entity versus transactional controls with an effective reliance on a risk-based approach rather than a quantitative materiality calculation; • ensure that the assessments are focused on the financial reporting elements of the core framework and that they are cost-effective; and • whether certain joint ventures are included. One commenter recommends that the CSA work with the CICA to assist in creating guidance for smaller issuers.
One commenter requests that guidance for management come from the CSA and not the CICA.
One commenter makes the following recommendations regarding guidance for management: • consider the importance of enterprise-risk management and controls other than financial reporting to ensure all aspects of strong governance are addressed by issuers; • considering the UK approach of “comply or explain” where fairly detailed 29
# Theme Comments Responses guidelines are provided to management; and • include a definition of “key controls” and “materiality”. 9. Evidence – Four commenters agree that the content of evidence is accurate and appropriate We acknowledge the comments and have eliminated the Content detailed evidence requirements. We have included guidance One commenter recommends the following changes to 52-111CP: dealing with the extent and form of documentation that • 2.5(1) - referring to management’s evaluation of design and operating should generally be maintained to provide reasonable effectiveness (i.e. management evaluates, auditors test); support for the certification of design and evaluation of • 2.5(1)(a) - “financial disclosure” should read “financial statements”; DC&P and ICFR. • 2.5(2(a) - clarify phrase “the evidence should include … the design of controls” and starting bullet (a) with “documentation of”; • 2.5(3) – clarification of “written or non-written form” is confusing including an example.
Seven commenters express concern regarding guidance on the content of evidence. The issues mentioned include: • indicate how much ‘documentation’ needs to be created in providing the necessary evidence (particularly for smaller issuers); • evidence required to support management’s assessment is account and process focused and would result in detailed documentation of a considerable number of processes, reasons cited include; o definition of ICFR; o 52-111CP s. 2.3(2) (a), (b), (e) describe broad scope; o s. 2.2 of 52-111 and CoCo contemplate detailed transaction level controls; and o CICA Standard contemplates a detailed approach that limits professional judgment; • the detailed emphasis on processes and transaction level controls, applied without judgment filters, is ineffective because it lacks focus on risk; • guidance in 52-111 regarding the type of evidence which must be maintained being evidence sufficient to provide reasonable support for management’s assessment and not all evidence that provides reasonable support for management’s assessment; • focus of section 2.5 of 52-111CP appears to be on design and documentation of processes and controls and recommends shifting the focus to risk-based approach; and • evidence may vary depending on issuer’s size, nature of business and complexity 30
# Theme Comments Responses of operations. One commenter recommends the following as to the levels of documentation requirements: • enhance and specify requirements and reliance on company level controls; • clarify testing requirements for low risk but material processes; and • introduce a measurement for promotion of an ethical environment. Two commenters recommend that the requirement in s. 2.5(2)(b) of 52-111CP refer only to “how significant transactions are recorded, processed or reported” because in many cases, initiation and authorization will have no impact on financial statements.
One commenter notes that the guidance is not adequate for issuers that have limited formal structures for ICFR. Issuers lacking formal structures tend to rely heavily on management supervisory types of controls to achieve ICFR. It is considerably more difficult to document testing of management supervisory types of controls, which can be stored and retrieved upon request.
10. Evidence – Eight commenters agree and one disagrees that the manner in which evidence must be We acknowledge the comments and have eliminated the Manner of maintained is adequate and appropriate. detailed evidence requirements. Maintaining One commenter expresses concern that the prescribed time period may not be appropriate and eight commenters agree with the time during which the evidence must be maintained.
One commenter recommends that the requirement to maintain evidence should be adjusted for non-Canadian issuers.
11. Board Approval One commenter recommends that internal control reports should be considered with the of Internal financial statements but should not require specific board approval. Control Report Three commenters make recommendations regarding approval of the internal control report in s. 2.6: • clarifying that if a board refuses to approve an internal control report whether they are in violation of s. 2.6; • the board of directors should be able to delegate approval of the internal control report to the audit committee; and • clarifying whether the audit committee should review the internal control report and make a recommendation to the board regarding approval.
12. Limits on Ten commenters agree that it is appropriate to disclose any limitations on management’s
We have determined not to proceed with an internal control report. Instead, we propose to require that issuers disclose their conclusions about the effectiveness of ICFR in their annual MD&A. Since the MD&A must be approved by the board of directors before being filed, management’s disclosure of their conclusions about the effectiveness of ICFR must be approved by the board of directors. Consistent with the review of MD&A by the board of directors, this approval cannot be delegated.
We continue to believe that DC&P and ICFR should be 31
# Theme Comments Disclosure – JV, assessment of effectiveness of ICFR. VIE, Acquired One commenter recommends the following regarding disclosure of limitations by Business management: • exempt management from assessing the controls over portfolio and equity investments (s. 2.6(3)); • check references in s. 2.6(4)(b) as they should refer to 5.6(5)(d)(ii) only; and • clarify the last sentence in s. 2.6(5) regarding the implications if management has the ability to evaluate ICFR but not the ability to design. One commenter requests further clarification of the scope of evaluation of ICFR extending to a JV or VIE and if the issuer can rely on the JV or VIE being in compliance with 52-111. One commenter recommends that where there are limitations, disclosure should include a description of the reasons for the limitation and management’s action plan and expected timetable to deal with the limitation presented.
One commenter recommends that the word “significant” be added when referring to interest in an entity to avoid work on insignificant entities. (52-111CP s. 2.6(3) and 52-111CP s. 2.6(5)).
Two commenters agree with disclosure if the business is material and there are actual limitations in management’s assessment of the effectiveness of ICFR in those businesses.
13. Limits on One commenter recommends disclosure of how management can conclude they have joint Disclosure – JV control but do not have access to the underlying entity (s. 2.6(3)). One commenter requests further clarification of the scope of evaluation of ICFR extending to a JV and if the issuer can rely on the JV being in compliance with 52-111.
Five commenters express concern regarding disclosure of any limitations on management’s assessment of the effectiveness of ICFR. Reasons cited include: • requirement is more onerous than the SOX 404 as JVs are accounted for using the equity method under U.S. GAAP and can be scoped out; • could result in a very costly effort to assess internal controls and yet an inability to remediate any weaknesses or deficiencies that are identified; • one of the JV partners may not have a reporting requirement or where the company who is required to report has no effective control over the JV;
32
Responses designed to extend into underlying entities to the extent necessary to provide reasonable assurance that material information about the entity is made known to the issuer on a timely basis and regarding the reliability of the information. We expect certifying offices to take all reasonable steps to design those controls. Where sufficient access to the underlying entity is not reasonably possible to design controls, the issuer is required to disclose the scope limitation in its MD&A together with summary financial information of the entity that has been consolidated in the issuer’s financial statements.
We have provided a scope limitation from the requirement to design DC&P and ICFR extending into the JV if the scope limitation is appropriately disclosed in the annual MD&A.
# Theme Comments Responses • disclosure requirements would erode management’s ability to focus on implementing strategies and managing business risks; and • if JV is material to issuer, then the internal controls will be appropriately addressed if management and auditors take a risk-based approach to review of internal controls.
One commenter recommends revising s. 2.6 where one of the partners is not bound by 52-111. Reasons cited include: • JV agreements entered into where the issuer is not the sponsor and does not manage financial records of JV; • difficult for issuer to force partner to comply (cost borne by issuer); • absorbing full cost of compliance will significantly impact issuer’s return from JV project; and • JV partners not required to comply with 52-111 will choose not to work with issuer if compliance costs are to be borne by the JV.
One commenter recommends that the attestation rules should allow for reliance on the operator of a JV and certification by the operator’s auditors regarding the operator’s internal control process. Reasons cited for the recommendation include: • the cost would be exponentially higher as each JV partner would have its own auditor engaged in the attestation of the JV operations oil and gas industry; and • inefficient use of business personnel time and potential impact to overall profitability and operations.
One commenter disagrees with disclosing any limitations on management’s assessment of the effectiveness of ICFR. Reasons cited include: • it is not practical that each JV partner be given access to the operator’s systems to evaluate ICFR; • it is not possible or practical to request access to a major energy company’s systems to audit/evaluate controls; • certain service providers would push back in providing access, as they are very concerned over privacy issues; • many oil and gas companies outsource accounting functions significant coordination effort required to review ICFR of various entities; • materiality thresholds of a large JV partner and a small JV partner make application of 52-111 unfair between them; and • companies identifying limitations may be perceived poorly by the markets. 33
# Theme Comments 14. Limits on Three commenters agree with disclosing any limitations in management’s assessment of Disclosure – the effectiveness of ICFR. Other Two commenters recommend additional areas for disclosure: • that a subsidiary that has gone into bankruptcy protection; • circumstances giving rise to scope limitation; • governance and controls in place; and • significance/materiality of excluded businesses. One commenter disagrees with disclosure of limits on management’s assessment where management is acting in good faith and with the agreement of its auditors and if there are extenuating circumstances that practically limit its assessment (i.e. extreme imbalance between cost and benefit). One commenter recommends limiting the assessment of an acquisition or merger for two years as of the acquisition or merger date. One commenter recommends that disclosure of weaknesses identified should only be reported internally to the audit committee and the external auditors. One commenter makes the following recommendations regarding disclosure: • management should be able to rely on assessment of subsidiaries subject to similar obligations of internal control certification and/or reporting without having to duplicate review of the subsidiary’s systems; and • management should disclose any limitations in its assessment, regardless of the reasons s. 2.5(1)(f) beyond JV and VIE. One commenter recommends considering limits imposed upon issuers subject of a merger, amalgamation, arrangement, or take-over (or reverse take-over), particularly where the management and board of the resulting issuer are new/different to the resulting entity.
8. PART 3 – INTERNAL CONTROL AUDIT REPORT 1. General Three commenters agree with the auditor attestation requirement. Reasons cited include: We acknowledge the comments, but have decided not to comments • without auditor attestation there would be little integrity and consistency in the require an issuer to obtain an internal control audit report from its auditor. Our proposals focus on the responsibilities
34
Responses We agree with the comments that disclosure of any limitations on management’s assessment should be required and, as noted above, if sufficient access to the underlying entity is not reasonably possible to design controls, the scope limitation should be disclosed in the issuer’s MD&A together with summary financial information of the entity that has been consolidated in the issuer’s financial statements. If issuers face specific challenges in designing and evaluating DC&P and ICFR into underlying entities, the issuer should seek relief which may be provided based on the specific facts on a case-by-case basis. We have considered the comments received on recent acquisitions and our proposals acknowledge that it may not be feasible to design DC&P and ICFR to include controls, policies and procedures carried out by a business that was recently acquired by an issuer. Where it is not feasible to design controls, policies and procedures carried out by a business that the issuer acquired within 90 days before the end of the period to which a certificate relates, the issuer is required to disclose this scope limitation in its MD&A together with summary financial information of the portion of the acquired business that has been consolidated in the issuer’s financial statements.
# Theme Comments Responses certification process; of management and on the expectation that management • auditor involvement is key to accurate and complete internal control disclosures; will take a vigorous approach to the design and evaluation • audit of ICFR will help ensure objectivity and consistency of management’s of ICFR. assessment process; and • auditor involvement is one of the significant reasons underlying the increased disclosures of material weaknesses in U.S. filings.
One commenter recommends the following areas where a more risk-based approach could be beneficial: • ability to rotate testing of key controls based on risk assessment; • ability to perform tests of controls during the year for lower risk processes as opposed to performing the tests substantially at year end; • ability to vary the extent of testing between routine low-risk processes; and • the use of internal auditors to provide principal evidence in certain areas. One commenter recommends that the AASB in consultation with the PCAOB encourage use of professional judgment and that the AASB initiate a project to revise GAAS to improve existing standards for reporting on internal control, annual financial statements, and interim reviews of quarterly annual reports.
One commenter calls for additional guidance to auditors emphasizing the use of a risk-based approach to auditing ICFR to learn from “Year One” experiences with the SOX 404 Rules.
One commenter recommends placing reliance on the work performed by internal auditors. Suggests that PCAOB AS No. 2 greatly restricts auditor’s level of professional judgment, resulting in duplication of evaluation and testing of controls.
One commenter notes that over the long-term, independent confirmation of management’s assessment of ICFR will provide greater comfort and assurance to investors and stakeholders.
2. Integrated Audit Six commenters support an integrated audit. 3. Other Standards One commenter expresses concern that proposed CICA Handbook in section “Identifying for Preparation significant accounts” (para. .060-.064) will not allow the same level of professional judgment for auditors. Without any changes, will result in different scoping criteria for management’s assessment and auditor’s assessment. Commenter agrees guidance in s. 5 is
We will not require an issuer to obtain an internal control audit report from its auditor. We agree with the comments relating to the top-down, risk-based approach and have included guidance in the companion policy focusing management’s attention on this approach. 35
# Theme Comments Responses adequate and appropriate. Two commenters specifically support a top-down, risk-based approach. Reasons cited include: • costs of compliance for Canadian issuers; • refers to recent SEC guidance in respect of the standard for auditor review; and • provisions in 52-111CP will only accentuate bias for a detailed, risk-averse approach by auditors.
One commenter recommends a more defined view of “top-down” approach and how it aligns with the auditor’s approach. The following questions require some guidance: • what reliance can be based on company level controls? • how does the identification and testing of company level controls impact the requirements for more specific transactional process control documentation, assessment and testing? • what account risk profile requires detailed process assessment and testing? and • how is materiality used in determining account identification and testing sizes when you have already considered risk, past experience and company level controls?
One commenter suggests two alternative standards of preparation consistent with a top-down risk-based approach. The first is an engagement to express an opinion on the design and existence of control procedures, would be reasonable and of equivalent value for investors. Alternatively, a limited scope of engagement of entity level controls (combined with a management assessment of controls identified through a risk analysis of entity level controls). Auditor should not be required to review controls underlying the entity level controls unless entity level controls are found to be inadequate.
One commenter strongly recommends that the CSA consider issuing additional guidance that allows for risk-based approach to scoping beyond a pure quantitative approach.
One commenter notes that, considering the depth and complexity of the COSO and COBIT assessments, it is questionable whether the cost of undertaking comprehensive annual updates would outweigh the benefits unless there is a material change in the business environment.
One commenter recommends modifying the scope of auditors work to cycle through the internal controls over a 3-year period. It still provides the appropriate check and balance to the management evaluation of internal controls. The cycle approach need not be
36
# Theme Comments Responses systematic to ensure the element of choice remains with the auditor. One commenter urges the CSA provide guidance to the CICA in setting the CICA Standard. Notes the terms “material” and “remote” in para. .017 of the proposed CICA Standard requires comprehensive review and extensive testing. CSA guidance is necessary to avoid difficulties created by PCAOB AS No. 2. Contends that this will enable the auditor to perform its work within a top-down risk-based framework.
One commenter notes that concern over auditor attestation is particularly acute for smaller issuers. Important that smaller issuers not be overwhelmed with additional costs and efforts that are proportionately much larger and more disruptive.
One commenter recommends encouraging external auditor’s reliance on the use of work of a competent and independent internal audit function (i.e. IIA’s International Standards for the Professional Practice of Internal Auditing). Using the work of internal auditors, where appropriate, would increase efficiencies in testing and reduce costs.
9. PART 5 – DELIVERY OF INTERNAL CONTROL REPORTS AND INTERNAL CONTROL AUDIT REPORTS 1. General One commenter recommends clarification of section 5.1 when it states that an issuer must We acknowledge the comment, however, since our Comments send an internal control report when it “must” send its annual financial statements and proposals require disclosure only in the issuer’s MD&A, MD&A under 51-102. Section 4.6 of 51-102 requires issuers to send financial statements the delivery requirements are dealt with in NI 51-102. to anyone who requests them except where financial statements were filed more than two years before the issuer received the request. Suggests rephrasing s. 5.1 as follows: “When an issuer sends its annual financial statements and annual MD&A for a financial year to a person pursuant to Section 4.6 of 51-102 it must also send to the person or company, concurrently and without charge, a copy of its internal control report and internal control audit report, if any, prepared for that financial year.”
10. PART 6 - LANGUAGE 1. Translation One commenter queried whether section 6.1(3) would require translation of the reports into Since our proposals require disclosure only in the issuer’s French. MD&A, the translation requirements are dealt with in NI 51-102. One commenter recommends s. 6.1(1) should be rephrased as “an issuer required to file internal control reports and internal control audit reports under this Instrument may file
37
# Theme Comments Responses them in French or in English” and notes that it is not clear what obligation 6.1(3) is intended to impose upon an issuer.
11. PART 7 – EXEMPTIONS 1. General Seven commenters agree with the proposed exemptions. Comments One commenter disagrees with the exemptions noting that size tests based on market cap or similar dollar measures often do not recognize the problem. Commenter recommends more exemptions. One commenter notes division on whether there should be differing levels of compliance based on a measure such as company size. Concern that smaller companies would face a disproportionate increase in costs to comply and that the requirements should be reduced for smaller companies.
2. Transition One commenter recommends adjusting the exemption transition levels to the following: We believe that ICFR is important for all reporting issuers, • Transition 1 issuers – market cap of $500 million or more, but less than $1 billion; regardless of their size or listing. Therefore, we are not • Transition 2 issuers – market cap of $250 million or more but less than $500 proposing staggered implementation dates. million; and • Transition 3 issuers – market cap of $75 million or more but less than $250 million.
One commenter recommends widening scope of exemption given to transition 1 issuers from $250 million to $1 billion. Reasons cited: to provide companies with benefit of learning from U.S. experience and to provide auditors with more time to evaluate the issues relating to scope of their audits.
3. Exemption for Three commenters support the proposed exemption for issuers that comply with SOX 404. We have maintained the exemption for issuers that comply Issuers that with the Sox 302 and Sox 404 Rules. Comply with U.S. Laws 4. Exemption for One commenter recommends that the rules under this regulation be conformed to the SOX We acknowledge the comments and continue to provide an Foreign Issuers 404 specific foreign issuer rules. Specifically, foreign issuers in Canada should comply but exemption for issuers that comply with U.S. laws. be given extra time to implement.
5. Exemption for One commenter questions appropriateness of requiring issuers of asset-backed securities to
We propose that the additional internal control reporting requirements apply to all reporting issuers, other than investment funds, consistent with the current scope of MI 52-109. Our proposals recognize that ICFR is important for all reporting issuers, regardless of their size or listing. We recognize that certain venture issuers cannot reasonably overcome all the challenges in designing ICFR and our proposals allow these issuers to disclose a reportable deficiency in their design without having to remediate it.
We believe that ICFR is important for all reporting issuers 38
# Theme Comments Responses Asset-Backed file the full annual certification in Form 52-109F1. It may be more appropriate for these and, subject to the design accommodation discussed in our Securities Issuers issuers to file the same form of annual certification to be filed by venture issuers (also proposals, are proposing that the requirements apply to all exempt from 52-111). issuers other than investment funds. ABS issuers are subject to the continuous disclosure requirements set out in NI 51-102, however, some ABS issuers have obtained relief from certain continuous disclosure requirements. ABS issuers that have obtained relief from certain continuous disclosure requirements may apply for relief which will be considered on a case-by-case basis. 6. Other Classes of Various commenters recommend: We believe that ICFR is important for all reporting issuers, Exempt Issuers • compliance be limited to those issuers that must, because of size, type of business regardless of their size or listing, thus our proposals apply and number of employees rely extensively on internal controls; to all reporting issuers other than investment funds. • allow issuers under a certain size to have an exemption to disclose those However, in recognition of the unique challenges that “standard” internal controls that they have chosen to NOT adopt and to say why certain venture issuers face in designing ICFR, we have and what they do instead; included in our proposals the design accommodation. • companies listed on the equivalent venture exchanges in other countries, other than SEC issuers, should not be subject to 52-111; • extend exemption to issuers with market capitalization of less than $75 million; • subsidiary entities should also be exempt from 52-111 if meet the requirements in s. 1.2(e) of 52-110; • use of bright line tests to determine exclusion for smaller TSX issuers. Suggests that the size test be consistent with an existing test, such as the current size of U.S. $75 million public float currently applied to issuers using MJDS; • exemptions provided in the application sections of MI 52-110 and NI 58-101 be extended and apply to the final version of proposed 52-111. Alternatively, an exemption should be added to allow issuers who have exemptive relief orders allowing them to rely on the financial statements of another issuer to also rely on that issuer’s internal control report.
12. PART 8 – EFFECTIVE DATE AND TRANSITION 1. General Twenty-two commenters recommend delaying implementation for at least one year. The Comments reasons cited include: • implementation experience of the SOX 404 Rules shows that compliance exercise is time consuming and a costly diversion of resources away from the core business; • SEC delay for foreign private issuers creates additional pressures on resources (same timeline for 52-111) to ensure consistency;
We believe the process of evaluating the effectiveness of ICFR will be a significant undertaking for many issuers. Therefore, we have allowed for a significant lead time for issuers to plan and implement efficiently the activities required to support the additional certifications and disclosure related to ICFR. 39
# Theme Comments Responses • Canadian issuers are smaller than Canadian SEC registrants and do not have the same financial and human capacity or flexibility; • deferral would provide opportunity to more effectively deal with resource constraints; • ensure Canadian companies benefit from U.S. experience and the adoption of clear and complete auditing guidelines (PCAOB) to achieve effective and sustained change within the issuer’s organization; • to determine how to provide guidance for companies attempting to implement changes required by 52-111; • enables issuers to have more time to review internal controls and implement improvements that could benefit operations and bring additional value; • current standards used by external audit firms require internal controls be effective for 6 months to be positively assessed – issuers would be left with a short time period to adjust to the new requirements (less than 1 year across the world); • effect on the business (bank) of carrying out this work simultaneously with the work required by the Basel Accord; • fraud detection and prevention requirements in the SOX 404 Rules have been causing significant difficulties in the U.S., recommend that the equivalent provisions in 52-111 be deferred until SEC has resolved this issue; • required changes to IT have to be planned 12 to 18 months in advance; and • change in culture requires careful planning, insufficient time would result in unnecessary tension and strain on management.
2. Appropriateness Sixteen commenters support phased-in implementation. Reasons cited include: We believe that ICFR is important for all reporting issuers, of Phased-in • reduces the impact of having all issuers fighting for limited skilled resources in regardless of their size or listing. We are no longer Implementation the same period to support on-time compliance; proposing staggered implementation dates because we • allows for more guidance to be available to smaller issuers, based on the believe our proposals address the concerns about limited experiences of larger issuers; resources being available to implement ICFR, which • allows for costs of compliance to be spread out over time; initially led us to consider staggering implementation of the • facilitates orderly implementation; requirements. • provides smaller issuers and non-venture issuers with a lower market capitalization reasonable time to comply; • compliance requires a significant effort and resources are very limited for smaller companies; and • allows more studies to be performed on the application of internal control frameworks to smaller companies.
Three commenters disagree with phased-in implementation since it does not adequately
40
# Theme Comments Responses address cost and limited expertise and concerns with a long transition period between management’s certification of design effectiveness and management certification and auditor attestation of ICFR.
One commenter expresses the phase-in period is too long for smaller issuers (< $250 million market cap). Reasons cited include: • exposes investors to a greater degree of risk and provides too large a time lag for management; and • discussions reveal that many smaller issuers are starting the process earlier than expected, and do not expect significant resistance to reducing the phase-in period.
One commenter recommends time frame from implementation between transition issuers should be extended to 24 months from 12 months.
One commenter agrees that a requirement including auditor attestation should be phased-in by size of company. However, the proposed threshold of $500 million is too low. Scarcity of resources and lack of guidance respecting internal control frameworks for smaller companies is a challenge.
One commenter recommends breaking down implementation phases further. Aim is to have a more even distribution of issuers based on market cap comply with requirements each year.
One commenter disagrees with phased-in implementation, suggesting that 52-111 be restricted to Canada’s largest issuers. Following completion of “Year 1”, the CSA should examine such issuers’ implementation experience to make an informed decision regarding application to smaller issuers.
3. Phased-in Five commenters disagree with the approach because the proposed timeframe requires all Implementation issuers to compete for scarce resources. and Expertise Four commenters agree that phased-in implementation helps address the concerns regarding the costs and limited availability of appropriate expertise. Five commenters express concern regarding limited availability of appropriate expertise both within issuers and auditors to undertake and complete the evaluation requirements.
Two commenters noted the following constraints on resources:
41
We believe that ICFR is important for all reporting issuers, regardless of their size or listing. We are no longer proposing staggered implementation dates because we believe our proposals address the concerns about limited resources being available to implement ICFR, which initially led us to consider staggering implementation of the requirements.
# Theme Comments Responses • many recent regulatory changes (Basel Accord, CICA); • delay in application of SOX to FPI results in recruiting difficulties for issuers and auditors; • operating in a French environment limits recruiting abilities. One commenter notes that phased-in implementation does not adequately address the cost and limited resource concerns, and will not sufficiently ease the burden on smaller issuers. The commenter recommends delaying compliance for Canadian issuers who are not already complying with SOX 404, until the CSA has sufficient time to study and digest the impact of SOX on SEC registrants.
13. REVISED CERTIFICATION MATERIALS 1. General One commenter recommends that smaller companies exempt from 52-111 should still be Comments required to certify ICFR. Possible legal ramifications of making such certifications without appropriate due diligence should encourage signing authorities to ensure their internal control processes are appropriate for the scale and scope of their operations. One commenter notes that the revised certification materials require management to focus on internal controls and ensure the appropriate control environment is instituted. The additional responsibility on the CEO and CFO to sign these certificates will require such officers to ensure there is an environment from the top of the organization downward to have proper accounting and disclosure processes in place.
Two commenters request adding to 52-109 the requirement for management to disclose any material weaknesses to the audit committee and auditors.
One commenter recommends maintaining the requirements of CEO/CFO certifications in 52-109. Most companies will be compelled to establish a suitable internal control framework (i.e. COSO) to meet the requirements of full annual certification. Hence, the requirements in Part 2 of 52-111 (up to and incl. 2.3) will be a natural outcome.
One commenter endorses exemption provided in 7.1 of 52-109 for issuers that comply with the certification requirements of SOX 302.
One commenter notes that the certifying officers would not necessarily be involved in the design of internal controls and procedures and ICFR. Requests review of wording in Form
42
We agree that all issuers should be required to certify ICFR since we believe ICFR is important for all issuers, regardless of size. We believe our proposals will increase managements focus on, and accountability for, the quality of ICFR. We have also included a requirement that reportable deficiencies existing at the end of the period to which a certificate relates be disclosed in the issuer’s MD&A.
# Theme Comments Responses 52-109 to this effect. Notes that in most circumstances, benefit from internal control processes are put in place over the years by their predecessors.
2. Venture Issuer to One commentator disagrees with the requirement of a venture issuer to refile its annual We acknowledge the comments but continue to believe that Refile Annual certificates for a financial year when it voluntarily files an AIF for that financial year after the subsequently filed AIF may include more current Certificates it has filed its annual financial statements, MD&A and certificates for that financial year. information than is included in the annual financial statements and MD&A that must also be certified. The One commenter notes that it is not appropriate to require refiling because of timing gap. refiled annual certificate relates to the annual filing, which Although AIF is filed with respect to a financial year, it should take into account consists of the annual financial statements, MD&A and subsequent events. Certificate will also bear a later date. However, annual financial AIF, not to each of the individual documents. If a venture statements and MD&A, since they have already been filed, will not have been updated. It issuer is concerned with refiling its annual certificates, it may be difficult to still conclude financial statements and MD&A “fairly present” matters may be possible to reorganize its affairs to file its AIF without taking into account events subsequent to year end. together with its annual financial statements and MD&A. Three commenters believe it is appropriate for venture issuer to refile annual certificates. Reasons cited include: • If issuer is relying on the AIF as a document incorporated by reference in order to raise capital, or as part of its continuous disclosure record, it will need to be protected by the certifications. Otherwise, there may be a gap in identifying reliance by investors and corresponding liability by the issuer and its CEO and CFO • serves to confirm that there have been no material changes to the related financial statements and annual MD&A.
3. Timing Gap One commenter notes timing gap may be problematic, but needs to be addressed by We acknowledge the comments and agree that issuers need companies. Certificates should cover up to the last of filing documents. to address the issues. It may be possible for the issuer to reorganize its affairs to file its AIF together with its annual One commenter believes that AIF should clearly set forth any material changes to the financial statements and MD&A. information presented in related financial statements and annual MD&A. Assuming this is the case, the proposed certificates would be appropriate and desirable as the “annual filings” referred to in the certificates should collectively be “certifiable” using the proposed certificate wording.
One commenter does not see the timing gap as problematic. Any subsequent information obtained including updates on ICFR would need to be looked at if it impacted the financial statements already issued and what appropriate actions, if any, would need to be taken. Assessment of significant deficiencies and material weaknesses disclosures required would be taken into consideration.
43
# Theme Comments Responses One commenter notes that a significant timing gap may create confusion. It must be clear from the revised certificate that the representations relating to previously filed documents remain unchanged and that the certificate has been filed solely to cover the voluntarily filed AIF. This can occur if a separate certificate covering the voluntarily filed AIF must be filed.
4. Inability to One commenter notes that one should be able to expressly qualify one’s certification, with Our proposals allow management of an issuer, in certain Certify Under 52- an explanation, without putting the issuer and others off-side and thus liable to penalties for circumstances, to disclose scope limitations in their 109 not filing the certificates in the form required. certification, if the issuer makes appropriate disclosure in its annual MD&A. 5. Certification Three commenters note the following: Our proposals allow management of an issuer, in certain Extending into • expectation that management will have sufficient access to a subsidiary to circumstances, to disclose scope limitations in their Underlying evaluate issuer’s ICFR in the subsidiary will not be true in all cases, especially certification, if the issuer makes appropriate disclosure in Entities where the subsidiary is a public company; its annual MD&A. We may consider granting relief in other • most companies are complex, with subsidiaries, equity interests and venture situations where certification is not feasible, on a case-by-investments. The guidance on the boundaries cannot override judgment and case basis. applying the risk-based approach; and • generally the guidance is adequate and appropriate. The phrase “all reasonable steps” is open to interpretation;
6. Treatment of One commenter finds that the guidance regarding the treatment of underlying entities set Underlying out in the Revised Certification Policy is inadequate and inappropriate. Securities 7. Form of One commenter questions appropriateness of requiring issuers of asset-backed securities to Certification for file full annual certification in Form 52-109F1. Asset-Backed Issuers
14. OTHER COMMENTS 1. Drafting One commenter recommends that 52-111, 52-111CP and 52-109 be amended [particularly We have not amended the definition of ICFR, but we have 44
We have revised the guidance regarding the treatment of certain underlying entities in our proposals. We believe that ICFR is important for all reporting issuers and, subject to the design accommodation discussed in our proposals, are proposing that the requirements apply to all issuers other than investment funds. ABS issuers are subject to the continuous disclosure requirements set out in NI 51-102, however, some ABS issuers have obtained relief from certain continuous disclosure requirements. ABS issuers that have obtained relief from certain continuous disclosure requirements may apply for relief, which will be considered on a case-by-case basis.
# Theme Comments Responses Comments definition of ICFR, s. 2.3(2) (a)(b)(e) & 2.4 of 52-111CP, 52-111 s. 2.2 & 3.2(1)(a)] to provided guidance that encourages issuers to adopt a risk-permit issuers to conduct an assessment that is not a “mechanistic, check-the-box exercise”. based approach. 2. Enforcement and One commenter makes the following recommendations in respect of the compliance and We intend to monitor the implementation of our proposed Compliance enforcement of 52-111: approach as part of our continuous disclosure reviews. As • CSA and OSC should publicly commit to the same standards of compliance and part of that process, we may enquire into the procedures enforcement that the SEC and PCAOB committed to on May 16, 2005 (i.e. that support the disclosure and certifications, particularly proactive communication); where the continuous disclosure filings contain material • CSA and OSC should specifically commit to high-level principles that will help misstatements or apparent errors. define the assessment process under 52-111 for all concerned (to avoid implementation problems experienced in the U.S.); and • Establish a Canadian equivalent to the SEC Advisory Committee on Smaller Public Companies (develop “made-in-Canada” approach).
3. Directors’ One commenter refers to Part 6 of 52-111CP regarding liability of officers for We acknowledge the comment, but we believe that Liability misrepresentations that may be contained in an internal control report and of audit firms directors and officers should be aware of potential liability with respect to internal control audit reports. Recommends adding reference to potential exposure and a discussion is not necessary in our proposals. exposure of directors respecting internal control report and, possibly, the issuer.
4. Interaction with One commenter states that the internal control report and the internal control audit report We believe that if an issuer has identified a reportable Short Form will not be incorporated by reference into a short form prospectus under 44-101. CSA deficiency in its ICFR, the prospectus requirements would Prospectus Rule should provide guidance on extent to which material weaknesses in internal control will already require disclosure of this risk factor. have to be disclosed in a prospectus to meet “full, true and plain disclosure.”
5. Linkage Between One commenter recommends that the CSA communicate linkages and interrelationships of Although we believe an issuer should obtain this type of Corporate various policies and instruments so that boards of directors, management and auditors can interpretation from its legal counsel, we have provided Governance understand and ensure that all components are implemented in a cost effective manner. some guidance on board and audit committee involvement Guidelines and in our proposals. Disclosure
45