Written By Stephen P. Sibold, Q.C.

On March 10, 2006, the Canadian Securities Administrators (CSA) announced that, after extensive review and consultation and in view of the delays and the debate underway in the United States over the rules implementing Section 404 of the Sarbanes-Oxley Act of 2002 (SOX 404 Rules), the CSA will not proceed with its proposed internal control rule (MI 52- 111 – Reporting on Internal Control over Financial Reporting). This will be welcome news to issuers who were concerned about the costs of compliance with proposed MI 52-111.

MI 52-111 Requirements Similar to SOX Rules

Proposed MI 52-111, as it was published for comment on February 4, 2005, was substantially similar to the requirements of the SOX 404 Rules. Under MI 52-111, management of an issuer would have been required to evaluate the effectiveness of the issuer's internal control over financial reporting, as at the end of the issuer's financial year, against a suitable control framework. In addition, the issuer would have been required to file the following with securities regulatory authorities:

• a report of management regarding its assessment of the effectiveness of the issuer's internal control over financial reporting, including a statement as to whether the issuer's internal control over financial reporting is effective; and
• a report of the issuer's auditor prepared in accordance with the CICA's auditing standard for internal control audit engagements.

CSA received considerable feedback from issuers expressing concern over the costs associated with the requirements for a report of management and an internal control audit opinion. In response to the feedback received, the CSA decided not to proceed with MI 52-111 and instead adopted a "made in Canada" approach that will apply in all Canadian jurisdictions.

New Proposed Internal Control Reporting Requirements

The CSA is proposing to expand existing requirements contained in MI 52-109 – Certification of Disclosure in Issuers' Annual and Interim Filings to include the following additional provisions in respect of internal control over financial reporting:

• the CEO and CFO of a reporting issuer, or persons performing similar functions, will be required to certify in their annual certificates that they have evaluated the effectiveness of the issuer's internal control over financial reporting as of the end of the financial year. They will also be required to certify that, based on their evaluation, they have caused the issuer to disclose in its annual MD&A their conclusions concerning the effectiveness of internal control over financial reporting as of the end of the financial year; and
• the disclosure required in the MD&A will include a description of the process for evaluating the effectiveness of the issuer's internal control over financial reporting and the conclusions concerning the effectiveness of internal control over financial reporting as of the end of the financial year.

Issuers will not be required to obtain from their auditors an internal control audit opinion concerning management's assessment of the effectiveness of internal control over financial reporting. The earliest that these requirements will apply is in respect of financial years ending on or after December 31, 2007. The CSA plans to publish an amended and restated MI 52-109 for comment later this year.

Implications for Issuers

Unlike proposed MI 52-111, the new proposed internal control reporting requirements are expected to apply to all reporting issuers (other than investment funds), including those listed on the TSX Venture Exchange.

Although engagement of an auditor will not be a requirement under MI 52-109, the board of directors and its audit committee will still need to consider whether they wish to engage the issuer's auditor to assist in discharging their responsibilities in respect of the issuer's internal control systems and review and approval of the issuer's annual MD&A.

No Deferral of CEO and CFO Certifications of Internal Control Design

MI 52-109 currently provides that, beginning with financial years ending on or after June 30, 2006, CEOs and CFOs (or persons performing similar functions) are required to certify that they have designed internal control over financial reporting and caused certain changes in internal control over financial reporting to be disclosed in the issuer's MD&A. The implementation of these requirements is not deferred, even though the CSA proposes to implement the requirement to certify the evaluation of the effectiveness of internal control over financial reporting at a later date.

Conclusion

This revised approach by the CSA should better balance the costs and benefits associated with the internal control reporting requirements without diminishing the expressed objective of improving the quality, reliability and transparency of financial reporting. It also shows a willingness of the CSA to be responsive to the concerns of reporting issuers over anticipated costs of the initially-proposed internal control rule.