Bill 198 and Internal Controls for Technology

WHITEpaper
Canada Implements
Corporate Governance:
Bill 198 and Internal Controls for Technology
page 2 Introduction
page 2 Overview of Bill 198, MI-52-109 and MI-52-111
page 3 Control Elements: Internal Controls and Information Technology
page 6 Evaluation of Internal Controls under Bill 198
page 6 Disclosure Requirements Under Bill 198
page 7 Conclusion:?Meeting Bill 198 Requirements and the Role of Change Management
page 8 Other Resources
1Daniel J. Langin, Attorney at Law LLC ©2007 Tripwire, Inc. Tripwire is a registered trademark of Tripwire, Inc. All other product and company names are property of their respective owners. All rights reserved.WHITE?PAPERCanada Implements Corporate Governance
IntroductionMuch has been written about the internal control and disclosure requirements of the Sarbanes-Oxley Act ("SOX") in the United States following many high-profile cases of corporate malfeasance and deceptive practices. Not surprisingly, Canada has enacted its own solution to today's governance and financial reporting requirements, factoring in the US experience and their requirements, officially known as Bill 198.
Although Bill 198 (like SOX) does not directly address IT controls, the law has significant IT and information security implications because most companies' financial reporting and operations depend heavily on information technology. This paper will focus on the three elements of Bill 198 that have the most impact on IT, namely:
. Control (internal controls over financial reporting, and disclosure controls and procedures). Evaluation (governance, measurement and recordkeeping), and. Disclosure (reporting and certification)
Overview of Bill 198, MI-52-109 and MI-52-111To understand these controls, evaluation and disclosure requirements, companies first need to understand Bill 198 in more detail. In a nutshell, Bill 198 requires publicly held companies to implement internal controls over financial reporting and disclosure controls and procedures, evaluate the strengths and weaknesses of these controls and certify to their effectiveness in official documents filed with Canada's securities regulators. If this sounds a lot like SOX, that is how it was intended. Canadian authorities designed parts of Bill 198 to be very similar to SOX so that Canadian investors would not be tempted to send their capital to more regulated markets in the US.
The three core provisions that affect IT are Bill 198 and two instruments created to implement it, namely MI 52-109 (titled "Certification of Disclosure in Issuers' Annual and Interim Filings") and MI 52-111 (titled "Reporting on Internal Controls Over Financial Reporting"). Bill 198 amends Canadian securities laws to:
requir[e] reporting issuers to devise and maintain a system of internal controls related to the effectiveness and efficiency of their operations, including financial reporting and asset control.
Bill 198 also requires adoption of internal controls over disclosure procedures (i.e., controls to ensure that disclosures required by law are accurate and that material financial information is reported up the management chain to the CEO and CFO). Bill 198 further requires CEOs and CFOs to provide regular certifications that address the establishment and maintenance of internal controls, the design of the internal controls, and their evaluation of the controls' effectiveness.
More details concerning these requirements are contained in MI 52-111 and MI 52-109. These two regulations are very similar to SOX 302 and 404, which are two core provisions of SOX that affect IT internal controls. MI 52-109 (like SOX 302) requires that companies file annual and interim certifications demonstrating that they have designed internal controls over financial reporting and disclosure controls and procedures, that they evaluate their effectiveness and disclose any changes that have affected or may affect them. MI 52-111 (like SOX 404) requires companies to adopt a "suitable control framework" (see below), annually evaluate the effectiveness of their internal control structure over financial reporting, maintain trustworthy and reliable evidence to support this annual evaluation and file a detailed annual internal controls report.
As noted above, these provisions can be broken down into the three basic elements... [download for more]