Sustainability: Preparing for Verification

Deborah Evans, business manager: corporate reporting & assurance at LRQA, advises on how to establish a CSR report’s contents and prepare for verification.

Corporate governance is now part of the board agenda for company directors, and how performance is communicated to stakeholders is essential, especially as the investment community is taking more interest in non-financial operating accounts.

A report must be responsive to stakeholder concerns, social responsible investment requirements and stock exchange indexes. It should also be inclusive of society concerns, transparent and accountable, and address performance and efficiency.

First | Previous | Next | Last

Where should a company start?

First the scope of the report needs to be defined. Scope relates to the footprint of a company, for example the countries of operation and impacts arising from process activities and products. Companies can usually identify their main business operations and processes, but are less clear about reporting issues associated with joint ventures and subsidiaries.

Likewise reports tend to be less meaningful on impacts derived from the products and their supply chains, especially on those issues that stakeholders believe companies can influence. For example child labour used in supply chains is not acceptable to many stakeholders, yet corporate reports do not always present evidence of how companies are trying to re-dress these cultural practises.

There is no right or wrong scope as long as top management records its decision on whether the corporate report will cover all or only significant issues. This decision by management is fundamental to the external assurance process for determining whether the report is “a fair and balanced representation”. A company’s justification as to why certain company activities are not reported needs to be valid or else stakeholders may be misled.

An external assurance is where independent auditors are contracted to review the company’s annual corporate report to ensure that it addresses stakeholder concerns and that published data and information is correct. Since independent assurance is constrained by commercial costs, these audits are conducted mostly based on risk analysis and agreement that the company’s decision on what it considers significant is valid.

First | Previous | Next | Last

How often should companies produce a report?

Reporting periods tend to be annual - either calendar or financial. However, there may be a need for companies to report more frequently. Companies must therefore select an appropriate method to communicate their data and information as the frequency and type of media chosen has implications for the assurance process.

• If reports are to be current; then should the data or the systems generating the data be verified?
• Electronic reports allow easy updating but this technology also extends the depth of an assurance; how many hyperlinks and URL pathways should be verified?
  

First | Previous | Next | Last

What to report?

The basic contents of any report can be established readily by reviewing legislative requirements, peer reports and media coverage associated with the company and its industry sector. The result provides the backbone of the report and the performance measures that most stakeholders want a company to respond on.

To date more than 600 international companies have produced an annual report. The majority of these reports are based on international guidelines such as Global Reporting Initiative (GRI), Assurance Standard (AA1000 AS) and/or the EU Eco-Management and Audit Scheme (EMAS) Regulation. These guidelines are checklists against which companies can report on performance; thereby enabling stakeholders to undertake some form of comparison.

Identifying performance measures unique to the company and inclusive of society concerns is a more time-consuming process. One approach is stakeholder engagement and it does not have to be face-to-face. However, focus groups allow confirmation of whether a company’s activities are understood accurately and enable constructive dialogue on key issues.

Information gathered at these meetings helps top management determine which concerns need to be addressed in the corporate report. This dialogue is vital if the report is to be relevant.

Stakeholders’ main requirement for performance data is that it is in a format that allows for easy comparison. Therefore, when companies establish baseline data, it is worthwhile for them to spend time on formulating clear processes for data monitoring, gathering, calculation and aggregation.

Effective implementation of these processes across the company takes time but will ensure that future years’ performance are comparable as data is consistent. Maturity of data systems is frequently an ongoing area of improvement for companies.

Predominantly, for those issues that top management have decided to respond on, the performance reporting is annual. However, reporting trends provide stakeholders with a wider picture of the company’s commitment to improvement. Likewise progress against objectives and targets is more apparent. Where there is significant deviation (positive or negative) against a performance measure an accompanying explanation should inform stakeholders of the parameters influencing this departure. In fact, the inclusion of negative information increases the credibility of the whole report as it helps to demonstrate a company’s honesty.

Once the company has established the contents of its report, performance measures and supporting data systems, ownership of data and information needs to be assigned. This is important for internal accountability and the independent assurance.

First | Previous | Next | Last

Independent assurance

Credibility of data and information disclosed is critical and one that companies need to address.

According to Tom Delfgaauw, chair of AccountAbility, which developed AA1000 AS: “The word of business is no longer believed; so independent assurance of reporting has become extremely important.” This particularly applies following scandals such as Enron and Worldcom.

The role of an assurance provider is to validate that the report is balanced, fair, complete, unbiased and that it provides a relevant account of the company’s business. In order to achieve this and provide a professional judgement, the process is based on a set of core principles:

• Agreement of a scope of work; including the verification criteria which determines the pre-verification discussions with our customer and/or their appropriate stakeholders.
• Validation of:
  • data – in some instances back to source material but always the accuracy of top level aggregated data i.e. the figures published in the report. Typically monitoring and measurements systems are sampled to determine their reliability, accuracy and potential for introducing statistical errors. Also for key performance data the validity of assumptions used in calculations are questioned e.g. emission factors and the inclusion of an oxidisation figure during combustion.
  • information – through interviews with senior management and relevant employees to corroborate supporting documentary evidence, and to confirm that it is free of inconsistencies and faithfully reproduced.
  • systems & controls – visiting a sample of sites is standard practice to verify company activities, controls and performance.
• Evaluation of progress against any recommendations, objectives or targets. Accuracy of calibration is also reviewed to confirm that performance targets are set within monitoring equipment’s tolerance range.
• Production of reports; from a factual declaration on the accuracy of figures to an opinion of performance documented in an assurance statement.

First | Previous | Next | Last

How should companies prepare for assurance?

Prior to the assurance audit starting, companies should be confident that all providers of data and information have double-checked the origins of their datasets. Internal audits and/or production of support files are both suitable methods of providing assurance providers with documentary evidence on which they can base their assessment samples. It should also be self-evident that assurance providers are going to require access to sites, records and data systems, therefore it is important to ensure that personnel are prepared and available for the assessment. However, very often the preparatory steps mentioned above are not undertaken in-house due to resource constraints, so companies can gain significant benefits from an assurance assessment including:

• identification of specific gaps in performance indicators.
• identification of process improvements.
• a comprehensive evaluation of data collection systems.
• an indication of the data’s materiality, together with a list of errors discovered during the audit.

Companies should also ensure that there is sufficient time to:

• undertake rewrites when information can not be substantiated.
• undertake detailed checks of data transcription.
• check hyperlinks are correct.

All too often the publication deadline occurs before the whole process is complete and assurance providers will want to see the final copy of the report before issuing their assurance statement.

First | Previous | Next | Last

Selecting an assurance provider

Essential to the credibility of any verification is the reputation of the assurance provider. Previous assurance experience and knowledge of the industry sector is key.

The assurance provider must be able to demonstrate that competent personnel will be undertaking the verification work. Depending on the nature of the business, it may be important to check on international capabilities of the provider.

An additional selection criterion, following the financial auditing scandals of previous years, should be conflict of interest. Where possible the assurance provider should not have undertaken development or consultancy work within your company, or as a minimum declare their level of involvement.

Ultimately, an assurance service exists is to ensure that companies manage their risk, integrate controls into day-to-day operations, change stakeholders’ expectations and protect their corporate credibility and reputation. It is also to ensure that these corporate reports are a good read for stakeholders.

First | Previous | Next | Last