Most sections in this Part apply to both an evaluation of the operating effectiveness of DC&P (DC&P evaluation) and an evaluation of the operating effectiveness of ICFR (ICFR evaluation); however, some sections apply specifically to an ICFR evaluation.
The purpose of the DC&P and ICFR evaluations is to determine whether the issuer’s DC&P and ICFR designs are operating as intended. To support a conclusion that DC&P or ICFR is effective, certifying officers should obtain sufficient appropriate evidence at the date of their assessment that the components of DC&P and ICFR that they designed, or caused to be designed, are operating as intended. Regardless of the approach the certifying officers use to design DC&P or ICFR, they could use a top-down, risk-based approach to evaluate DC&P or ICFR in order to limit the evaluation to those controls and procedures that are necessary to address the risks that might reasonably result in a material misstatement. Form 52-109F1 requires disclosure of each material weakness relating to the operation of the issuer’s ICFR. Therefore, the scope of the ICFR evaluation must be sufficient to identify any such material weaknesses.
Form 52-109F1 requires the certifying officers to certify that they have evaluated, or supervised the evaluation of, the issuer’s DC&P and ICFR. Employees or third parties, supervised by the certifying officers, may conduct the evaluation of the issuer’s DC&P and ICFR. Such employees should individually and collectively have the necessary knowledge, skills, information and authority to evaluate the DC&P and ICFR for which they have been assigned responsibilities. Nevertheless, certifying officers must retain overall responsibility for the evaluation and resulting MD&A disclosure concerning the issuer’s DC&P and ICFR. Certifying officers should ensure that the evaluation is performed with the appropriate level of objectivity. Generally, the individuals who evaluate the operating effectiveness of specific controls or procedures should not be the same individuals who perform the specific controls or procedures. See section 7.10 of the Policy for guidance on self-assessments.
The certifying officers might decide to use a third party to assist with their DC&P or ICFR evaluations. In these circumstances, the certifying officers should assure themselves that the individuals performing the agreed-upon evaluation procedures have the appropriate knowledge and ability to complete the procedures. The certifying officers should be actively involved in determining the procedures to be performed, the findings to be communicated and the manner of communication. If an issuer chooses to engage its external auditor to assist the certifying officers in the DC&P and ICFR evaluations, the certifying officers should determine the procedures to be performed, the findings to be communicated and the manner of communication. The certifying officers should not rely on ICFR-related procedures performed and findings reported by the issuer’s external auditor solely as part of the financial statement audit. However, if the external auditor is separately engaged to perform specified ICFR-related procedures, the certifying officers might use the results of those procedures as part of their evaluation even if the auditor uses those results as part of the financial statement audit. If the issuer refers, in a continuous disclosure document, to an audit report relating to the issuer’s ICFR, prepared by its external auditor, then it would be appropriate for the issuer to file a copy of the internal control audit report with its financial statements.
Certifying officers can use a variety of tools to perform their DC&P and ICFR evaluations. These tools include: (a) certifying officers’ daily interaction with the control systems; (b) walkthroughs; (c) interviews of individuals who are involved with the relevant controls; (d) observation of procedures and processes, including adherence to corporate policies; (e) reperformance; and (f) review of documentation that provides evidence that controls, policies or procedures have been performed. Certifying officers should use a combination of tools for the DC&P and ICFR evaluations. Although inquiry and observation alone might provide an adequate basis for an evaluation of an individual control with a lower risk, they will not provide an adequate basis for the evaluation as a whole. The nature, timing and extent of evaluation procedures necessary for certifying officers to obtain reasonable support for the effective operation of a component of DC&P or ICFR depends on the level of risk the component of DC&P or ICFR is designed to address. The level of risk for a component of DC&P or ICFR could change each year to reflect management’s experience with a control’s operation during the year and in prior evaluations.
The certifying officers’ daily interaction with their control systems provides them with opportunities to evaluate the operating effectiveness of the issuer’s DC&P and ICFR during a financial year. This daily interaction could provide an adequate basis for the certifying officers’ evaluation of DC&P or ICFR if the operation of controls, policies and procedures is centralized and involves a limited number of personnel. Reasonable support of such daily interaction would include memoranda, e-mails and instructions or directions from the certifying officers to other employees.
A walkthrough is a process of tracing a transaction from origination, through the issuer’s information systems, to the issuer’s financial reports. A walkthrough can assist certifying officers to confirm that: (a) they understand the components of ICFR, including those components relating to the prevention or detection of fraud; (b) they understand how transactions are processed; (c) they have identified all points in the process at which misstatements related to each relevant financial statement assertion could occur; and (d) the components of ICFR have been implemented.
(1) General – Reperformance is the independent execution of certain components of the issuer’s DC&P or ICFR that were performed previously. Reperformance could include inspecting records whether internal (e.g., a purchase order prepared by the issuer’s purchasing department) or external (e.g., a sales invoice prepared by a vendor), in paper form, electronic form or other media. The reliability of records varies depending on their nature, source and the effectiveness of controls over their production. An example of reperformance is inspecting whether the quantity and price information in a sales invoice agree with the quantity and price information in a purchase order, and confirming that an employee previously performed this procedure. (2) Extent of reperformance – The extent of reperformance of a component of DC&P or ICFR is a matter of judgment for the certifying officers, acting reasonably. Components that are performed more frequently (e.g., controls for recording revenue) will generally require more testing than components that are performed less frequently (e.g., controls for monthly bank reconciliations). Components that are manually operated will likely require more rigorous testing than automated controls. Certifying officers could determine that they do not have to test every individual step comprising a control in order to conclude that the overall control is operating effectively. (3) Reperformance for each evaluation – Certifying officers might find it appropriate to adjust the nature, extent and timing of reperformance for each evaluation. For example, in “year 1”, certifying officers might test information technology controls extensively, while in “year 2”, they could focus on monitoring controls that identify changes made to the information technology controls. Certifying officers should consider the specific risks the controls address when making these types of adjustments. It might also be appropriate to test controls at different interim periods, increase or reduce the number and types of tests performed or change the combination of procedures used in order to introduce unpredictability into the testing and respond to changes in circumstances.
A self-assessment is a walk-through or reperformance of a control, or another procedure to analyze the operation of controls, performed by an individual who might or might not be involved in operating the control. A self-assessment could be done by personnel who operate the control or members of management who are not responsible for operating the control. The evidence of operating effectiveness from self-assessment activities depends on the personnel involved and how the activities are conducted. A self-assessment performed by personnel who operate the control would normally be supplemented with direct testing by individuals who are independent from the operation of the control being tested and who have an equal or higher level of authority. In these situations, direct testing of controls would be needed to corroborate evidence from the self-assessment since the self-assessment alone would not have a reasonable level of objectivity. In some situations a certifying officer might perform a self-assessment and the certifying officer is involved in operating the control. Even if no other members of management independent from the operation of the control with equal or higher level of authority can perform direct testing, the certifying officer’s self-assessment alone would normally provide sufficient evidence since the certifying officer signs the annual certificate. In situations where there are two certifying officers and one is performing a self-assessment, it would be appropriate for the other certifying officer to perform direct testing of the control.
Form 52-109F1 requires certifying officers to certify that they have evaluated the effectiveness of the issuer’s DC&P and ICFR, as at the financial year end. Certifying officers might choose to schedule testing of some DC&P and ICFR components throughout the issuer’s financial year. However, since the evaluation is at the financial year end, the certifying officers will have to perform sufficient procedures to evaluate the operation of the components at year end. Since some year-end procedures occur subsequent to the year end (e.g., financial reporting close process), some testing of DC&P and ICFR components could also occur subsequent to year-end. The timing of evaluation activities will depend on the risk associated with the components being evaluated, the tools used to evaluate the components, and whether the components being evaluated are performed prior to, or subsequent to, year end.
For each annual evaluation the certifying officers must evaluate those components of ICFR that, in combination, provide reasonable assurance regarding the reliability of financial reporting. For example, the certifying officers cannot decide to exclude components of ICFR for a particular process from the scope of their evaluation simply based on prior-year evaluation results. To have a reasonable basis for their assessment of the operating effectiveness of ICFR, the certifying officers must have sufficient evidence supporting operating effectiveness of all relevant components of ICFR as of the date of their assessment.
(1) Extent of documentation for evaluation – The certifying officers should generally maintain documentary evidence sufficient to provide reasonable support for their certification of a DC&P and ICFR evaluation. The extent of documentation used to support the certifying officers’ evaluations of DC&P and ICFR for each annual certificate will vary depending on the size and complexity of the issuer’s DC&P and ICFR. The extent of documentation is a matter of judgment for the certifying officers, acting reasonably. (2) Documentation for evaluations of DC&P and ICFR – To provide reasonable support for a DC&P or ICFR evaluation the certifying officers should generally document: (a) a description of the process the certifying officers used to evaluate DC&P or ICFR; (b) how the certifying officers determined the extent of testing of the components of DC&P or ICFR; (c) a description of, and results from applying, the evaluation tools discussed in sections 7.6 and 7.7 of the Policy or other evaluation tools; and (d) the certifying officers’ conclusions about: (i) the operating effectiveness of DC&P or ICFR, as applicable; and (ii) whether a material weakness relating to the operation of ICFR existed as at the end of the period.