Compliance crosswalk · NI 52-109
NI 52-109 (Canadian Securities Administrators) - email + domain controls, mapped to Wiredepth
Framework version: National Instrument 52-109 - Certification of Disclosure in Issuers' Annual and Interim Filings
Who this is for. Canadian reporting issuers (TSX, TSXV, CSE-listed). Two control frameworks are in scope: Disclosure Controls and Procedures (DCPs) and Internal Control over Financial Reporting (ICFR). NI 52-109 is the Canadian analogue of US Sarbanes-Oxley Sections 302 + 404; CEOs and CFOs personally certify the design and effectiveness of these controls.
Where email + domain controls fit. Email shows up as a supporting control under ICFR's IT general controls (ITGCs): controls over financial-system access authentication (often by email-based MFA), controls over vendor onboarding (every authorised email sender into a financial system is an entry point), and disclosure controls around the timely communication of material changes (often by email).
Why this matters. The CSA + the audit firms have intensified ITGC testing since 2023. Email controls used to be tested cursorily; cyber incidents at two issuers in 2024 (where attackers compromised mail accounts that approved wire transfers) put email-channel controls explicitly on auditor work-papers.
Clause-by-clause mapping
Each row maps a specific NI 52-109requirement to the Wiredepth surface that addresses it. The clause ids are the framework's own naming - verify them against the official text. We use precise language: "addresses" (the tool directly satisfies the control), "supports" (the tool contributes evidence the auditor will need), and "evidence for" (the artifact is part of the attestation package).
| Clause | Requirement | Wiredepth response |
|---|---|---|
Section 2.1 - Disclosure controls + procedures (DCPs) Reporting | The issuer's DCPs must be designed to provide reasonable assurance that material information is recorded, processed, summarised, and reported within the required time frames. Email-based escalation paths are typically a DCP component. | Continuous monitoring + alerts to Slack / Teams / SIEM webhooks demonstrate the DCP for posture-affecting events. The audit-log entry trail covers the "what was disclosed when" forensic question. |
Section 3.1 / 3.3 - Internal control over financial reporting Authentication | Issuers must establish + maintain ICFR designed to provide reasonable assurance regarding the reliability of financial reporting + the preparation of financial statements for external purposes. | DMARC enforcement + DKIM + SPF reduce the risk that an attacker can impersonate a finance-team member via email to authorise a transaction. The on-the-wire control evidence pairs with the per-domain workpaper for the IT general-controls section. |
ITGC - Access management Authentication | IT general controls supporting ICFR include logical-access controls. Email-based MFA tokens, email-based password resets, and email-based approval workflows all depend on the underlying email-channel security. | Email-auth posture (DMARC / DKIM / SPF / TLS) is the foundation logical-access controls depend on. Wiredepth Pro+ alerts on regression so the auditor sees a continuous-monitoring control rather than point-in-time tests. |
ITGC - Change management Monitoring | Changes to systems supporting ICFR must be authorised, tested, and documented. Includes changes to email-sending vendors authorised on the SPF / DKIM / DMARC records. | Vendor consolidation audit + alerts on SPF / DMARC record changes catch unauthorised modifications to the email-vendor authorisation chain. |
ITGC - Operations + monitoring Monitoring | ITGCs include monitoring of system operations + the response to deviations. Email-channel monitoring is the operations equivalent for the email surface. | Hourly scan cadence + alert routing covers the operations-monitoring control. The audit-log Merkle chain provides the tamper-evident evidence of monitoring deviations + responses that ICFR examiners want to see. |
CEO / CFO certification (Form 52-109F1) Reporting | CEOs + CFOs personally certify the design + operating effectiveness of DCPs + ICFR. Auditors test the underlying control evidence in support of the certification. | Workpapers (email-auth, TLS, vendor) generate the per-control evidence artefact in the format the auditor expects to include in the certification testing file. Chain-of-custody on every workpaper proves the artefact wasn’t modified after the testing window closed. |
Form 52-109F2 - Interim certification Reporting | Quarterly interim certification covers the design of DCPs + ICFR. Auditors expect quarterly evidence that the controls remained effective. | Scheduled compliance PDF delivery (Pro+) provides quarterly per-domain posture history. Pairs with the audit-log chain for the run-rate evidence the interim certification depends on. |
Material weaknesses - Disclosure Reporting | Identified material weaknesses in ICFR must be disclosed in the issuer’s MD&A and the certifying officers’ certification. | Per-domain D / F regressions surfaced by the dashboard are the upstream signal that often precedes an ICFR-affecting incident. Alert routing to internal audit + the CISO closes the loop before a material-weakness disclosure becomes necessary. |
What auditors actually look at
An ICFR auditor (typically Big-4 in Canada) reviewing the email + domain surface would typically request:
- The ITGC matrix entries for email + domain controls with linked implementation evidence
- Sampled scan output across the audit window (typically four quarterly snapshots plus year-end)
- Change-log entries for the SPF / DKIM / DMARC records during the audit window
- Vendor onboarding + offboarding records for authorised email senders
- Incident records for any email-channel events that approached the material-weakness threshold
Generate a NI 52-109-tagged evidence pack (Wiredepth Prove)
Prove subscribers can generate a ZIP of all five workpapers + a NI 52-109 README in one click. Single domain, single click, ready to file in your audit binder. See pricing at /pricing#prove ($499/mo standalone, bundled in Enterprise).
Other compliance crosswalks
Disclaimer. This crosswalk is provided for informational purposes. It is not legal advice, audit guidance, or a substitute for engagement with a qualified assessor (QSA for PCI, accountant or QSA for SOC 2, lawyer for HIPAA / NIS2 / SEC). Framework clause ids and language may have been updated since publication; verify against the official text. Wiredepth does not guarantee compliance based on the use of any tool or page on this site.