(1) Approaches to consider for design – The Instrument does not prescribe the approach certifying officers should use to design the issuer’s DC&P or ICFR. However, we believe that a top-down, risk-based approach is an efficient and cost-effective approach that certifying officers should consider. This approach allows certifying officers to avoid unnecessary time and effort designing components of DC&P and ICFR that are not required to obtain reasonable assurance. Alternatively, certifying officers might use some other approach to design, depending on the issuer’s size, nature of business and complexity of operations.
(2) Top-down, risk-based approach – Under a top-down, risk-based approach to designing DC&P and ICFR certifying officers first identify and assess risks faced by the issuer in order to determine the scope and necessary complexity of the issuer’s DC&P or ICFR. A top-down, risk- based approach helps certifying officers to focus their resources on the areas of greatest risk and avoid expending unnecessary resources on areas with little or no risk. Under a top-down, risk-based approach, certifying officers initially consider risks without considering any existing controls of the issuer. Using this approach to design DC&P, the certifying officers identify the risks that could, individually or in combination with others, reasonably result in a material misstatement in its annual filings, interim filings or other reports filed or submitted by it under securities legislation. Using this approach to design ICFR, the certifying officers identify those risks that could, individually or in combination with others, reasonably result in a material misstatement of the financial statements (financial reporting risks). A material misstatement includes misstatements due to error, fraud or omission in disclosure. Identifying risks involves considering the size and nature of the issuer’s business and the structure and complexity of business operations. If an issuer has multiple locations or business units, certifying officers initially identify the risks that could reasonably result in a material misstatement and then consider the significance of these risks at individual locations or business units. If the officers identify a risk that could reasonably result in a material misstatement, but the risk is either adequately addressed by controls, policies or procedures that operate centrally or is not present at an individual location or business unit, then certifying officers do not need to focus their resources at that location or business unit to address the risk. For the design of DC&P, the certifying officers assess risks for various types and methods of disclosure. For the design of ICFR, identifying risks involves identifying significant accounts and disclosures and their relevant assertions. After identifying risks that could reasonably result in a material misstatement, the certifying officers then ensure that the DC&P and ICFR designs include controls, policies and procedures to address each of the identified risks.
(3) Fraud risk – When identifying risks, certifying officers should explicitly consider the vulnerability of the entity to fraudulent activity (e.g., fraudulent financial reporting and misappropriation of assets). Certifying officers should consider how incentives (e.g., compensation programs) and pressures (e.g., meeting analysts’ expectations) might affect risks, and what areas of the business provide opportunity for an individual to commit fraud. For the purposes of this Instrument, fraud would generally include an intentional act by one or more individuals among management, other employees, those charged with governance or third parties, involving the use of deception to obtain an unjust or illegal advantage. Although fraud is a broad legal concept, for the purposes of this Instrument, the certifying officers should be concerned with fraud that could cause a material misstatement in the issuer’s annual filings, interim filings or other reports filed or submitted under securities legislation.
(4) Designing controls, policies and procedures – If the certifying officers choose to use a top-down, risk-based approach, they design specific controls, policies and procedures that, in combination with an issuer’s control environment, appropriately address the risks discussed in subsections (2) and (3). If certifying officers choose to use an approach other than a top-down, risk-based approach, they should still consider whether the combination of the components of DC&P and ICFR that they have designed are a sufficient basis for the representations about reasonable assurance required in paragraph 5 of the certificates.