The Fourth Phase of CEO/CFO Certification Rules

The last shoe has dropped in the Canadian Security Administrators’ regulatory scheme to implement internal control over financial reporting (ICOFR) for Canadian public companies.

As we discussed in the previous issue of the PolicyPro Bulletin, the CSA indicated that the rules for the “fourth phase” of the CEO/CFO certification process, which would require attestation as to the operating effectiveness of internal controls on an annual basis, would be released at the end of March.

True to their word, on March 30th they released proposed revisions to Multilateral Instrument 52-109. The gist of the new proposed rules is as follows:

• That the CEO and CFO certify that they have evaluated (or caused others to evaluate under their supervision) the effectiveness of ICOFR
• That they have disclosed any fraud involving management or any other employees with a significant role in ICOFR to their auditors, the board of directors, and the audit committee of the board

The CEO and CFO must also disclose the following in the annual MD&A:

• The process used to evaluate the effectiveness of ICOFR
• Conclusions about the effectiveness of ICOFR
• Any “reportable deficiency” (a new term that describes a deficiency that would cause any reasonable person to doubt the reliability of the issuer’s financial statements), and
• Any remediation plan to address deficiencies

The CSA also released a comprehensive companion policy (52-109 CP), that provides extensive guidance on the way that regulators intend to interpret the new rules. This companion policy includes the following:

• A list of the control frameworks that are available for designing and evaluating ICOFR. Although the use of a framework is not mandatory, it is highly recommended
• Advice about using a top-down, risk-based approach
• Design challenges and key components of ICOFR
• Required documentation
• Use of an external auditor or other independent third party

These new rules are not yet in force. They have been released for comment for a period that ends June 28, 2007. The new rules are proposed to apply to all reporting issuers (except investment funds) beginning with fiscal years ending on or after June 30, 2008.

For the complete CSA document, click here.

<< Top of Page

Network Security Chapter Added to ITPP

We’re very pleased to announce that we’ve added an important new chapter, Network Security, to Information Technology PolicyPro (ITPP) with the first release of 2007, published in March.

The Network Security chapter includes 9 model policies, as follows:

• SPP IT 10.01 – Network Hardware Connection identifies controls required to ensure that non-company-owned equipment connected to the network does not endanger system security
• SPP IT 10.02 – Firewall Protection identifies the processes and controls required to ensure that the firewall is configured to maximize the protection provided to the network while permitting required access
• SPP IT 10.03 – Remote Access sets out the processes and controls required to ensure that remote access to the company’s network is permitted in a manner that minimizes threat of loss or damage to the company’s IT resources and data
• SPP IT 10.04 – Wireless Network addresses the policies and controls necessary to ensure that the company’s wireless network is configured and operated in a manner that minimizes threat of loss or damage to the company’s IT resources and data
• SPP IT 10.05 – Network Intrusion Detection covers the processes required to ensure that the network is monitored for intrusion
• SPP IT 10.06 – File Transfer Protocol (FTP) sets out the controls required when remote transfers using FTP are permitted
• SPP IT 10.07 – Email Security sets out policies to minimize the risk from use of email
• SPP IT 10.08 – Instant Messaging sets out policies recommended to ensure that the use of instant messaging does not endanger system security
• SPP IT 10.09 – Electronic Commerce sets out policies required to protect against the risks inherent in sending financial transaction information through the public network

For more information about ITPP, and a link to take a 30-day, no-obligation trial, click here.

<< Top of Page

Politicians at all levels tend to invest heavily in trade and investment missions, fairs, and negotiations abroad. However, the evidence suggests that changes to Canadian policies are likelier to result in better global economic outcomes for Canada. In If We Can Fix It Here, We’ll Make It Anywhere: Boosting Canada’s Global Economic Success Through Effective Policies at Home, a briefing from The Conference Board of Canada, author Danielle Goldfarb discusses five types of barriers that Canada can control—such as labour mobility and infrastructure restrictions, and regulatory differences between provinces—as well as some of their likely effects.

Click here to link to this interesting document.

Note: If you are not a registered user of the Conference Board of Canada’s e-Library, you will need to register, as follows:

1. Click Download Document to open the Sign in or Create a New Account page
2. Click Create an Account
3. Follow the directions to complete your registration

<< Top of Page

As you tell by its title, 20 Questions Directors Should Ask about the Information Technology Aspects of Business Continuity Planning, published by the Information Technology Advisory Committee of the CICA, is targeted to the members of an organization’s board of directors to help them discharge their responsibility to manage a company’s overall risk management strategy.

But if you turn that proposition around, the questions posed in this handy brochure are the ones that CEOs, CFOs, CIOs and IT managers must be prepared to answer.

To download a copy of this very useful ITAC publication, click here and follow the link under Risk Management and Governance Publications.

<< Top of Page

Biometrics, such as fingerprints and iris scans, are unique physiological traits that can be used to positively identify an individual. For this reason, they are an ideal unique key to join different pieces of data across multiple databases.

However, creating and maintaining databases of biometric data would have serious implications for personal privacy. After all, biometric data is permanent, and cannot be "re-entered" if it is lost or stolen.

The Privacy Commissioner of Ontario, Ann Cavoukian, has recently co-authored a research paper with scientist Alex Stoianov that discusses the privacy, trust and security issues around biometric information. The paper also offers a solution: Biometric Encryption (BE), algorithms that use biometric information to encrypt other information, such as a PIN or account number. It's this encrypted information that becomes the unique ID, not the biometric information itself. As Commissioner Cavoukian says: " BE allows an individual's biometric data to be transformed into multiple and varied identifiers for different purposes, so that these identifiers cannot be correlated with one another. Better still, if a biometric identifier is somenow compromised, a completely new one may be easily generated from the same finger or iris of an individual."

Click here to link to the news release and the research paper.

<< Top of Page

Fraudulent cheques are used by scammers to commit various types of fraud such as overpayment schemes, phoney employment opportunities and lottery scams.

In Your Bogus Cheque is In the Mail, the Competition Bureau warns consumers to be skeptical if they receive a questionable cheque or a prize notice.

Click here to link to the article.

<< Top of Page

About the PolicyPro Bulletin

Editor: Colin Braithwaite, Managing Editor – PolicyPro.

Please do not reply to this Email.

PolicyPro Bulletin is a complimentary service published by First Reference Inc. and is sent to you monthly. Each issue of the PolicyPro Bulletin provides headlines and summaries of news that affects internal controls and policies in Canada.

Please forward this Bulletin to your colleagues.

Please send any comments or suggestions about the PolicyPro Bulletin to editor@policypro.ca. For information about the PolicyPro Library, visit www.PolicyPro.ca. For information about First Reference and our HR-related products, visit www.firstreference.com. To read our Terms of Use, Disclaimer, Privacy Policy and other legal matters, visit PolicyPro.ca.

This publication is written for informational purposes only and should NOT be relied upon as legal advice or opinions. The reader should always obtain legal advice from a qualified lawyer or other qualified professional, which will be responsive to the case or circumstance of the individual. Please note that the content provided in this Bulletin or any content contained in or made available through any third party website linked to from this Bulletin, is provided "as is" without representations or warranties of any kind. All representations and warranties in respect of Content or Third Party Content, express or implied, including, without limitation any representations to warranties or conditions regarding accuracy, timeliness, completeness, non-infringement, merchantability or fitness for any particular purpose are hereby disclaimed.

PolicyPro Bulletin ISSN: 1718-5866 Copyright ©2007, First Reference Inc., All Rights Reserved.