Section 3.4 of the Instrument requires an issuer to use a control framework in order to design the issuer’s ICFR. The framework used should be a suitable control framework that is established by a body or group that has followed due-process procedures, including the broad distribution of the framework for public comment. Examples of suitable frameworks that an issuer could use to design ICFR are:
(a) the Risk Management and Governance: Guidance on Control (COCO Framework), formerly known as Guidance of the Criteria of Control Board, published by The Canadian Institute of Chartered Accountants;
(b) the Internal Control – Integrated Framework (COSO Framework) published by The Committee of Sponsoring Organizations of the Treadway Commission (COSO); and
(c) the Guidance on Internal Control (Turnbull Guidance) published by The Institute of Chartered Accountants in England and Wales. A smaller issuer can also refer to Internal Control over Financial Reporting – Guidance for Smaller Public Companies published by COSO, which provides guidance to smaller public companies on the implementation of the COSO Framework. In addition, IT Control Objectives for Sarbanes-Oxley published by the IT Governance Institute, might provide useful guidance for the design and evaluation of information technology controls that form part of an issuer’s ICFR.