(1) Extent and form of documentation for design – The certifying officers should generally maintain documentary evidence sufficient to provide reasonable support for their certification of design of DC&P and ICFR. The extent of documentation supporting the certifying officers’ design of DC&P and ICFR for each interim and annual certificate will vary depending on the certifying officers’ assessment of risk, as discussed in section 6.6 of the Policy, as well as the size and complexity of the issuer’s DC&P and ICFR. The documentation might take many forms (e.g., paper documents, electronic, or other media) and could be presented in a number of different ways (e.g., policy manuals, process models, flowcharts, job descriptions, documents, internal memoranda, forms, etc). Certifying officers should use their judgment, acting reasonably, to determine the extent and form of documentation.
(2) Documentation of the control environment -To provide reasonable support for the certifying officers’ design of DC&P and ICFR, the certifying officers should generally document the key elements of an issuer’s control environment, including those described in subsection 6.7(2) of the Policy.
(3) Documentation for design of DC&P – To provide reasonable support for the certifying officers’ design of DC&P, the certifying officers should generally document:
(a) the processes and procedures that ensure information is brought to the attention of management, including the certifying officers, in a timely manner to enable them to determine if disclosure is required; and
(b) the items listed in section 6.8 of the Policy.
(4) Documentation for design of ICFR – To provide reasonable support for the certifying officers’ design of ICFR, the certifying officers should generally document:
(a) the issuer’s ongoing risk-assessment process and those risks which need to be addressed in order to conclude that the certifying officers have designed ICFR;
(b) how significant transactions, and significant classes of transactions, are initiated, authorized, recorded and processed;
(c) the flow of transactions to identify when and how material misstatements or omissions could occur due to error or fraud;
(d) a description of the controls over relevant assertions related to all significant accounts and disclosures in the financial statements;
(e) a description of the controls designed to prevent or detect fraud, including who performs the controls and, if applicable, how duties are segregated;
(f) a description of the controls over period-end financial reporting processes;
(g) a description of the controls over safeguarding of assets; and
(h) the certifying officers’ conclusions on whether a material weakness relating to the design of ICFR exists at the end of the period.