Cross-border ICFR readiness in MJDS issuers

Executive summary

Canadian reporting issuers that are also registered with the US SEC under the Multijurisdictional Disclosure System (MJDS) operate under two ICFR regimes simultaneously — Canada's NI 52-109 and the US Sarbanes-Oxley framework. The two regimes share substantial structural common ground and diverge on specific points that materially affect implementation effort, audit relationship, and risk exposure. The convergence is what gets attention. The divergences are where implementation typically goes wrong.

This report draws on the combined practice's cross-border financial-controls engagement base — including direct in-house and advisory work at Caribbean Utilities Company (CUC), the TSX-listed Fortis Inc. subsidiary, plus engagements across the cross-border ICFR practitioner network. The observations below reflect patterns observed across the practice; specific issuer detail is not disclosed.

The headline observation: MJDS issuers consistently underestimate the practitioner-level differences between the two regimes. Programmes designed primarily around NI 52-109 requirements often discover substantive gaps when applied to SOX 404 testing depth, particularly where SOX 404(b) auditor attestation applies. Programmes designed primarily around SOX often discover that NI 52-109 has specific Canadian regulatory and audit committee expectations that the SOX-oriented programme does not address fully.

The MJDS context

What MJDS is

The Multijurisdictional Disclosure System is the regulatory framework under which Canadian reporting issuers can satisfy US SEC reporting requirements primarily through compliance with Canadian disclosure rules. For eligible Canadian issuers, MJDS enables filing on US Form 40-F (annual) rather than the more onerous Form 20-F (used by other foreign private issuers). The framework is substantively favourable to MJDS-eligible Canadian issuers — it allows simultaneous access to Canadian and US capital markets with reduced disclosure duplication.

MJDS does not, however, exempt the issuer from SOX. Canadian MJDS issuers filing on Form 40-F remain subject to Sections 302, 404, and 906 of the Sarbanes-Oxley Act as applicable to their filer category. The MJDS issuer therefore operates under both NI 52-109 (as a Canadian reporting issuer) and SOX (as an SEC-registered filer), and must comply with both regimes' ICFR provisions.

Why MJDS issuers matter

Several hundred Canadian issuers are eligible for MJDS, and a substantial fraction maintain US listings under the framework. The category includes some of the largest Canadian-domiciled enterprises by market capitalisation. The cross-border ICFR question is not a niche concern; it affects a meaningful population of issuers whose investor base, regulatory exposure, and operating context spans both Canadian and US frameworks.

Where SOX and NI 52-109 share common ground

Conceptual architecture

Both regimes are built on the same underlying conceptual architecture: management is responsible for establishing and maintaining adequate internal control over financial reporting; management certifies the design and effectiveness of those controls; the controls are evaluated against a recognised control framework (typically COSO 2013 for both regimes); deficiencies in internal control are classified by severity and disclosed where material.

The shared architecture means an ICFR programme designed to satisfy one regime is structurally compatible with the other in most respects. The same risk-and-control matrix, the same significant account analysis, the same control documentation, and the same testing evidence largely transfer. This common-ground reality is what makes the two regimes look similar at executive level.

Risk-based approach

Both regimes prescribe a risk-based approach to scope and testing. Materiality determinations, significant account identification, fraud risk consideration, and control selection follow broadly similar logic. The COSO 2013 framework — including the five components and seventeen principles — is recognised by both regimes as a suitable control framework. The principles-based foundation is consistent across both.

Deficiency severity framework

The terminology of “deficiency”, “significant deficiency”, and “material weakness” is broadly equivalent across the two regimes, though the authoritative interpretive guidance differs (PCAOB AS 2201 for SOX; CSA staff guidance for NI 52-109). The deficiency identification and classification process is operationally similar; the substantive divergence sits in interpretive nuance rather than in fundamental framework.

Where the regimes substantively diverge

Auditor attestation under SOX 404(b)

The most consequential divergence is the auditor attestation requirement under SOX 404(b). For SEC filers above the smaller reporting company threshold, the external auditor must attest to the effectiveness of ICFR independently of management's assessment. This attestation is governed by PCAOB Auditing Standard 2201 and represents a substantive incremental audit effort relative to a financial statement audit alone.

NI 52-109 has no equivalent mandatory auditor attestation requirement. The CEO and CFO certify ICFR design and effectiveness; there is no parallel auditor attestation. This is a structural divergence with material implications: MJDS issuers above the SOX 404(b) threshold face the substantive audit cost of PCAOB AS 2201 attestation that purely Canadian issuers do not.

The implementation implication is significant. ICFR programmes at MJDS issuers must produce documentation, testing, and evidence to a standard that supports PCAOB AS 2201 auditor reliance. That standard is materially more demanding than what a Canadian-only programme would target. Issuers transitioning into SOX 404(b) applicability for the first time — typically through growth past the filer-status thresholds — consistently discover the incremental work required.

Material weakness disclosure interpretive divergence

Both regimes require disclosure of material weaknesses identified in ICFR. The interpretive framework for determining what constitutes a material weakness has evolved differently under PCAOB guidance versus CSA staff guidance. The substantive differences arise in two areas:

• Quantitative threshold considerations — PCAOB AS 5 / AS 2201 interpretation tends to emphasise the magnitude of misstatement that the deficiency could allow, evaluated against financial-statement materiality. CSA guidance considers similar factors but with somewhat different emphasis on aggregation effects and indirect impacts.
• Qualitative factor weighting— both regimes consider qualitative factors (control environment indicators, evidence of management override, persistent deficiencies). The relative weighting given to these qualitative factors versus quantitative thresholds differs subtly between the regimes' interpretive practice.

An MJDS issuer applying both interpretive frameworks consistently to the same control population can find that a deficiency is classified differently under each. The practical management of this divergence requires explicit articulation of which interpretive framework drives the severity determination — and disclosure under both regimes calibrated to the more conservative determination to avoid the appearance of inconsistency.

Remediation timing expectations

Both regimes expect timely remediation of identified material weaknesses, but the implicit expectations differ. SOX 404 — particularly where 404(b) auditor attestation applies — implicitly expects remediation before fiscal year end to support a clean assessment, because year-end determination of material weakness has substantial market and regulatory consequences. NI 52-109 disclosure of material weakness is the primary regulatory output, with remediation expected but on a somewhat less compressed timeline.

The practical implication: MJDS issuers identifying material weaknesses mid-year face dual pressure to remediate before year-end audit close — even though the NI 52-109 timeline alone might allow more substantive remediation work. The compressed remediation cycle is one of the operational realities that MJDS issuers consistently underestimate in their planning.

Audit committee relationship and communication

NI 52-109 operates within the broader Canadian corporate governance framework, including the audit committee composition and oversight expectations of National Instrument 52-110. SOX operates within the US framework, including the audit committee requirements of Section 301 of SOX and the related SEC rules.

The two frameworks substantially align — both require independent audit committees, financial expertise on the committee, audit committee oversight of internal controls and the external auditor. The substantive divergences sit in specific procedural expectations: audit committee meeting frequency, pre-approval of non-audit services by the external auditor, the form and frequency of control deficiency communication, the audit committee's role in approving the external auditor.

An MJDS issuer's audit committee must therefore satisfy expectations of both NI 52-110 and SOX Section 301 / SEC rules. The committee charters and operating practices of well-run MJDS issuers tend to be designed to the more demanding of the two regimes in each respect.

Operating patterns observed

The common implementation gap

Across the combined practice's cross-border engagement base, the most common implementation gap at MJDS issuers is documentation depth calibrated to NI 52-109 rather than to SOX 404(b). Canadian-only programmes can rest on relatively concise documentation that supports management certification; SOX 404(b) auditor attestation under PCAOB AS 2201 requires substantially deeper evidence trails, including walk-through documentation, evidence of operational testing, and testable conclusions on design and operating effectiveness.

MJDS issuers transitioning into SOX 404(b) — through growth past filer-status thresholds, through acquisition or restructuring that brings new entities into SOX scope, or through revisions to applicable SEC rules — consistently encounter documentation upgrades as a substantial early-cycle activity.

The auditor coordination question

MJDS issuers often have the same external auditor across both regimes, but the audit work performed under each is procedurally distinct. The integrated audit (financial statements + ICFR attestation for SOX 404(b)) is governed by PCAOB AS 2201; the financial statement audit alone is governed by applicable Canadian auditing standards. Coordination between these two audit perspectives — and between management's ICFR programme and the auditor's attestation work — is a recurring operational complexity.

The pattern that works at well-run MJDS issuers: explicit coordination protocols between management and the external auditor on the scope of management testing, the auditor's reliance on management work, the timing of attestation testing, and the resolution of identified deficiencies. The pattern that fails: management treats ICFR programme work as separate from the audit, and the auditor performs substantial parallel testing that could have been avoided with better coordination.

The cross-border resourcing question

Cross-border ICFR programmes require practitioners with credibility under both regimes. The Canadian financial reporting and auditing framework, the US framework, the PCAOB interpretive guidance, the CSA staff guidance — practitioners who hold credibility in only one regime tend to produce work that reads as compliant under one and as gap-filled under the other.

Senior practitioners with established cross-border credentials — CA + CPA combined credentials, CISA where IT general controls are in scope, deep experience in both audit frameworks — are materially more efficient at scoping and delivering cross-border work than practitioners with single-regime backgrounds. The premium for cross-border-specialist resourcing is operationally justified for issuers whose dual-regime exposure is sustained.

Forward considerations

Regulatory evolution in both regimes

Both regulatory regimes continue to evolve. SEC rule revisions periodically affect filer-status thresholds and the SOX 404(b) applicability boundary; CSA staff guidance on NI 52-109 evolves; PCAOB standards undergo periodic revision. MJDS issuers need to track changes in both regimes and their interaction.

Climate and sustainability disclosure integration

The integration of climate and sustainability disclosure with traditional ICFR is a growing consideration in both jurisdictions. IFRS S1/S2 adoption, SEC climate rules where they finalise, and Canadian sustainability disclosure expectations are all building toward an environment where the ICFR framework increasingly applies to sustainability-related disclosure controls. MJDS issuers should plan their ICFR programme architecture to accommodate this expansion.

Audit committee competency expectations

Both regimes have raised expectations of audit committee technical competency over the past decade. The cross-border audit committee at an MJDS issuer needs financial expertise sufficient to engage substantively with both Canadian and US-framework matters; risk and IT expertise sufficient to oversee the broader control environment; and the time and engagement to discharge the responsibility substantively rather than procedurally.

Recommendations for MJDS issuers

For finance leadership

Design the ICFR programme to satisfy the more demanding of the two regimes on each specific dimension. Documentation depth to SOX 404(b) standard; deficiency severity assessment to the more conservative interpretation; remediation timing to the SOX year-end expectation. The incremental cost relative to a Canadian-only programme is real but bounded; the cost of having to upgrade mid-cycle when SOX 404(b) applicability triggers is consistently higher.

For audit committees

Confirm that the audit committee charter and operating practice satisfy both NI 52-110 and SOX Section 301 / SEC rules. Confirm that committee composition includes the financial expertise required and that committee engagement with both Canadian and US-framework matters is substantive. Confirm that the committee receives ICFR programme reporting calibrated to the more demanding regime.

For boards

The MJDS arrangement is a strategic choice that simplifies access to both Canadian and US capital markets but does not simplify the ICFR compliance burden. Boards considering MJDS arrangements should ensure the compliance investment is sized for cross-border operations, not for Canadian-only compliance.

Methodology note

This report reflects observations aggregated from the combined practice's cross-border financial-controls engagement base, including direct in-house and advisory work. Specific issuer detail is not disclosed except where the issuer has cleared the disclosure for publication. The aggregated patterns reflect what the practice has observed consistently; individual issuer postures vary in either direction from the aggregated picture.

About the author and the firm

Kanika Guptais the Founder of Rapid Momentum Consulting and leads the firm's cross-border financial controls practice. She holds CA, CPA, CISA, CFE, CIH, CSP, NEBOSH, and OSHA credentials, with a Big Four background and direct in-house tenure at Caribbean Utilities Company (CUC) — the TSX-listed Fortis Inc. subsidiary — where she led financial-controls, ICFR, and adjacent assurance work. Her cross-border credential base spans both Canadian and US frameworks.

Rapid Momentum Consulting is an institutional assurance practice for multinational organisations, built on a combined advisory and delivery network operating since 2007. The firm operates from a permanent presence in nine countries with approximately 268 professionals including around 24 senior practitioners. Cross-border financial controls is a core practice area, anchored by ongoing engagement with CUC and broader cross-border MJDS practitioner work.