According to Canadian Securities Administrators (CSA) Multilateral Instrument 52-109, public issuers are required to certify their disclosure controls and procedures for fiscal years ending after March 30, 2005. This year, CEOs and CFOs must certify that they have: 1) designed disclosure controls and procedures, 2) evaluated the effectiveness of disclosure controls and procedures, and then 3) disclosed their conclusions about the effectiveness in their annual Management Discussion & Analysis (MD&A).
To help organizations understand what's required of them, and where they are on the path to disclosure control certification, we have compiled some commonly asked questions and answers about disclosure controls and procedures. If you have not yet taken steps to ensure your processes will produce public disclosures that are accurate, complete, consistent, timely, and fairly represent your company's financial condition, Deloitte outlines what you need to know to get there.
Our company's year-end is coming soon, but we haven't yet established our disclosure control processes. Where do we begin?
First, determine your organization's disclosure control universe. Disclosure controls extend to all regulatory filings including financial statements, earnings press releases, MD&A, prospectuses, business acquisition reports, takeover bids, annual reports, annual information forms, information circulars, material change reports and press releases containing financial information.
But many organizations are extending their disclosure controls and procedures beyond normal regulatory filings to encompass other types of information. For example, they are designing disclosure controls and procedures to include information presented to analysts and credit rating agencies, investor presentations, earnings guidance, web sites, foreign statutory filings, and environmental, health and safety reports. These companies are really embracing the spirit of the CSA's disclosure controls and procedures certification requirements to enhance the overall completeness, accuracy, consistency and timeliness of their disclosures.
How might our company benefit from ensuring we have effective disclosure controls and procedures?
The obvious benefit from ensuring the company has effective disclosure controls and procedures is to support the certifications that the CEO and CFO are required to provide. However, the true benefits extend well beyond those related to providing the certifications. Disclosure controls and procedures provide a quality control over the disclosure process. Ensuring the company has strong disclosure controls and procedures will reduce the risk of the company failing to disclose material information on a timely basis or filing regulatory documents that are incomplete or inaccurate. The resultant loss of reputation, investor confidence and market value that may result from a breakdown in the disclosure controls and procedures could be very significant.
On December 31, 2005, amendments to the Securities Act (Ontario) become effective. These amendments will introduce civil liability for misrepresentations in continuous disclosure documents and for failure to make timely disclosure. These amendments provide a formula for the determination of financial penalties for issuers, directors and officers. An effective system of disclosure controls and procedures, supported by a rigorous annual evaluation of effectiveness is a key element of the due diligence that directors and officers should be undertaking in connection with the civil liability amendments.
What factors should we consider when designing our disclosure controls and procedures?
Once your company has determined the disclosure universe, you can begin to design and evaluate your disclosure controls.
First, you need to create an appropriate culture that encourages the timely disclosure of material events. This includes establishing an effective "tone at the top." Second, you should identify and assess key risks that may impact your ability to identify and disclose material information and prepare regulatory filings that are complete, accurate, consistent and timely. Third, design and document specific controls and procedures related to the key processes you use to identify material information, prepare regulatory filings and other public documents, and communicate information to external parties. This may include, but is not limited to, establishing an effective disclosure committee, a disclosure policy and a sub-certification process.
We've just implemented disclosure controls and procedures, but we don't know how effective they are. How can we evaluate our disclosure controls and procedures?
Disclosure controls and procedures will generally be effective if they provide reasonable assurance that material information is being identified and reported to the CEO and CFO on a timely basis, material information is disclosed on a timely basis through the appropriate regulatory filings, and the company's regulatory filings are complete, accurate, consistent and timely. The evaluation should be designed to achieve these objectives. This will typically include:
Planning the evaluation to address: (i) the key areas of disclosure risk, (ii) the processes used to identify material information, and (iii) the processes used to prepare the public disclosures in the company's disclosure universe.
Reviewing the company's documented policies, procedures and controls to ensure they are complete and effective from a design perspective - do they sufficiently address completeness, accuracy, consistency and timeliness?
Review the documented controls and procedures to ensure they have been properly implemented. This can be achieved by reviewing documentation such as minutes, supporting documentation, evidence of reviews and approvals, sub-certifications and by speaking with individuals involved in the disclosure process to ensure there are no gaps between how controls were designed and implemented.
Review the quality and level of rigour that supports the key controls. For example, if the review of regulatory filings by the disclosure committee is a key control, understand the process that the disclosure committee undertakes to complete this review. Is it a quick high-level review or is it a more systematic process focused on identifying areas where the filings may not be complete, accurate or consistent - one where the committee engages in discussion around whether the filings represent a fair presentation.
We already have a disclosure control policy in place. Isn't that enough to satisfy the regulators?
A disclosure policy is typically a key component of the design of disclosure controls and procedures. It usually documents the company's policies regarding the identification and reporting of information that may be material, communications with external parties, and often issues such as confidentiality and insider trading. Companies should also document their policies, procedures and controls for the preparation, review and approval of individual regulatory documents and other forms of public disclosures. Good written policies and procedures that address the controls necessary to ensure completeness, accuracy, consistency and timeliness are the cornerstone of effective disclosure controls and procedures. But equally important is the level of awareness of the company's policies and the quality of their implementation and operation.
Is there a critical element of effective disclosure controls and procedures?
A strong disclosure culture is usually the foundation of effective disclosure controls and procedures. To foster this type of culture, you need a visible commitment from senior management, open and candid communication between all parties involved in operations, governance and financial and regulatory reporting, and a strong control and governance environment.
If your company has this type of culture, you will likely go beyond simply complying with regulatory requirements. A strong disclosure culture can differentiate your organization in today's competitive marketplace, ultimately ensuring higher quality, more transparent financial and regulatory reporting and increased investor confidence.
What's the difference between disclosure controls and procedures and internal control over financial reporting? Which controls do we have to certify?
Disclosure controls and procedures are intended to cover the processes and controls used to prepare all of the company's regulatory filings, including the financial statements. Internal control over financial reporting is focused on the financial statements and the financial reporting processes. In addition, the evaluation of internal control over financial reporting is linked to an accepted control framework such as COSO, whereas no generally accepted framework exists for disclosure controls and procedures.
The effective dates for the various components of Multilateral Instrument 52-109 (MI 52-109), including amendments per CSA Notice 52-313 are staggered as follows:
Issuers are required to certify the design and evaluation of disclosure controls and procedures under MI 52-109 for fiscal years ending after March 30, 2005.
For years ending on or after June 30, 2006, issuers will be required to certify they have designed internal control over financial reporting.
The first disclosure in the MD&A regarding management's evaluation of the effective operation of internal control over financial reporting will not be required under the expected amendment to MI 52-109 until fiscal years ending on or after December 31, 2007.
There is some overlap between disclosure controls and procedures and internal control over financial reporting. Multilateral Instrument 52-109 points out that "disclosure controls and procedures may include those components of internal control over financial reporting that provide reasonable assurance that transactions are recorded as necessary to permit the preparation of financial statements in accordance with the issuer's GAAP."
The securities regulators note at the same time that there are important differences. "There are, however, some elements of disclosure controls and procedures that are not subsumed within the definition of internal control over financial reporting and some elements of internal control over financial reporting that are not subsumed within the definition of disclosure controls and procedures."
We're ready to evaluate the effectiveness of our disclosure controls and procedures. How do we determine the level of effort required?
MI 52-109 suggests that the level of effort, the nature of the work, and the nature and extent of the evidence to support the effectiveness of your disclosure controls is "a matter of judgment for the certifying officers." The CEO and CFO should consider the company's unique circumstances, including size, the nature of the business and the complexity of operations. The level of effort required is also impacted by the nature and magnitude of the disclosure risks identified.
There is no requirement with respect to the evaluation of disclosure controls and procedures for management to perform work and gather appropriate evidence such that an external auditor could assess management's conclusions regarding effectiveness. The level of effort and the nature of the evidence required should be sufficient to give the CEO and CFO the necessary level of reasonable assurance they believe is required in order to be able to provide the individual certification and a due diligence defence against liability for continuous disclosure.
What are the responsibilities of the audit committee with respect to disclosure controls and procedures?
While it is the CEOs and CFOs that must provide the individual certifications, the audit committee should also take an interest in the effectiveness of the company's disclosure controls and procedures. MI 52-109 does not include any specific requirements for the audit committee with regard to disclosure controls and procedures. However, since the board is required to approve the annual MD&A, which includes the results of management's evaluation of the effectiveness of disclosure controls and procedures, the audit committee and the board will want to understand the process used by management to arrive at its conclusion regarding effectiveness. In addition, the existence of effective disclosure controls and procedures will assist the audit committee in its oversight role over public disclosures. More specifically, MI 52-110 sets out the following requirements for audit committees:
"An audit committee must review the issuer's financial statements, MD&A, and annual and interim earnings press releases before the issuer publicly discloses this information."
"An audit committee must be satisfied that adequate procedures are in place for the review of the issuer's public disclosure of financial information extracted or derived from the issuer's financial statements,…and must periodically assess the adequacy of those procedures."
The bottom line is that the audit committee should understand how management has designed disclosure controls and procedures and the process used to evaluate their effectiveness.
Looking to stay abreast of regulatory developments and best practices related to CEO/CFO certification? Subscribe to our bimonthly publication, CEO/CFO Certification News for the latest news and views on all aspects of the certification process.