Section 3.4 of the Instrument requires an issuer to use a control framework in order to design the issuer’s ICFR. The framework used should be a suitable control framework that is established by a body or group that has followed due-process procedures, including the broad distribution of the framework for public comment. Examples of suitable frameworks that an issuer could use to design ICFR are: (a) the Risk Management and Governance: Guidance on Control (COCO Framework), formerly known as Guidance of the Criteria of Control Board, published by The Canadian Institute of Chartered Accountants; (b) the Internal Control – Integrated Framework (COSO Framework) published by The Committee of Sponsoring Organizations of the Treadway Commission (COSO); and (c) the Guidance on Internal Control (Turnbull Guidance) published by The Institute of Chartered Accountants in England and Wales. A smaller issuer can also refer to Internal Control over Financial Reporting – Guidance for Smaller Public Companies published by COSO, which provides guidance to smaller public companies on the implementation of the COSO Framework. In addition, IT Control Objectives for Sarbanes-Oxley published by the IT Governance Institute, might provide useful guidance for the design and evaluation of information technology controls that form part of an issuer’s ICFR.
The control frameworks referred to in section 5.1 include in their definition of “internal control” three general categories: effectiveness and efficiency of operations, reliability of financial reporting and compliance with applicable laws and regulations. ICFR is a subset of internal controls relating to financial reporting. ICFR does not encompass the elements of these control frameworks that relate to effectiveness and efficiency of an issuer’s operations or an issuer’s compliance with applicable laws and regulations, except for compliance with the applicable laws and regulations directly related to the preparation of financial statements.