Friday 1 February 2013

Corporate Responsibility Reporting Assurance (3)

What is assurance anyway, Lara? Ha! I'm glad you asked.

OK, so let me introduce assurance and begin to analyse the concept of independence on which it depends. The contemporary assurance market is rooted in an explosion in social accounting experiments in the 1970s (Hess 2001). CR reporting declined and theoretical interest waned during the recession of the early 1980s. Environmental auditing and reporting picked up in the 1990s, and then underwent a steady expansion of remit. See Elkington (1994) on the “triple bottom line” of economic, social and environmental dimensions of organisational success. CR reports characteristically address all three dimensions.

In 2007 nearly 80% of the largest 250 companies worldwide issued annual CR reports, compared to about 50% in 2005 (KPMG 2008). I'm unsure where we are today, although I have a horrible feeling CR and CR reporting has slipped down the list of priorities since the most recent global financial crisis. CR shouldn't be one of a set of priorities: it should be the most important aspect of every priority a firm has.

CR is a highly complex and divisive concept. CR disclosure, especially in the form of annual standalone CR reports, is seen as one way of improving the deliberative setting in which the concept is contested.

Whenever there has been growing interest in CR reporting, there has also been a rise in independent assurance of CR reports. This is unsurprising, given the “growing body of social and environmental accounting research that finds corporate posturing and deception in the absence of external monitoring and verification” (Laufer 2003:254). Surveys regularly show public distrust of statements of business leaders (see e.g. BBC 2002). In 2007, about 40% of companies of the largest 250 companies worldwide used some form of assurance in their reports.

Before we go any further, we need to settle on a stipulative definition of assurance. As used by accountants, it is a very broad term covering the audit of financial statements, as well as various due diligence, attestation and agreed-upon-procedures engagements, and customised services which may or may not result in a standard form of report.

In the context of CR reporting, assurance sometimes refers to any tactic intended to add credibility to a corporate disclosure. This may include those which bear no obvious relation to accounting methodology. SustainAbility (2005:1) offer four categories of assurance unrelated to accounting methodology: evaluation, certification (e.g., against the SA8000 standard), expert statement (e.g., from NGOs or academics), and stakeholder commentary.

To further confuse matters, academics sometimes use audit as a broad term encompassing certification, consultancy and assurance activities which the accountancy profession would categorise as non-audit. This use is characteristic of Critical Management Studies; there “audit” emphasises the financial origins, and ostensibly mathematically-reductionist presuppositions of a positivist governance paradigm, for example Power and Laughlin (1992).

There is some inconsistency in the way the term assurance is used by the Big Four. Generally speaking, audit of financial statements is recognised as a sub-type of assurance. But since it is the main sub-type, referring to assurance rather than audit can imply that services other than financial audit are meant. PwC, for example, calls its core service line “Audit and Assurance,” tacitly differentiating the two.

In these blog posts, except where noted, assurance refers only to the assurance of CR reports in a manner that is “systematic, documented, evidence-based, and characterized by defined procedures” (GRI 2006:38), not to any of the wide range of engagements identified above. Audit refers only to the audit of financial statements.

The Big Four and a few other large accountancy firms dominate the assurance market. Technical or issue experts and specialist assurance provider firms have a sizeable minority share. Many companies use stakeholder panels and other third-party commentary to add credibility to their CR reports, but few firms combine these methods with formal assurance (KPMG 2008).

In addition to financial audit and assurance, the Big Four offer their clients a huge variety of consultancy and certification services. Assurance needs to be provisionally distinguished from these services. In assurance, there is a subject matter, a set of suitable criteria, and a tripartite relationship between assurance practitioner, entity responsible for the subject matter, and intended users of the subject matter. This standard break-down can be seen for example in IAASB 2004:283. A case in point is: the Vodafone Corporate Responsibility Report 2008/09 (subject matter); GRI’s G3 Guidelines and AccountAbility’s AA1000APS (criteria); KPMG LLP (assuror); Vodafone Group plc (responsible entity); Vodafone’s stakeholders (intended users of the subject matter).

The intended users of a subject matter often include the responsible entity itself, but to speak of “assurance” implies that the responsible entity is not the only user. This distinguishes assurance from consultancy. Assurors are “third parties,” positioned between the responsible entity and the intended users of the subject matter. The assuror applies the criteria to the subject matter, and issues a statement summarizing its findings. The assuror thereby advises the intended users on what level of trust they can place in the subject matter.

This assurance statement is usually included in the CR report itself. The statement is often of the form that the subject matter is “fairly stated.” The statement usually also includes a high-level summary of methodology, and sometimes includes areas in which the responsible entity could show improvement. A formidable liability statement is the final piece of the assurance statement.

This liability statement points to the difference between assurance and certification. Assurance is characterised by a comparatively low transfer of liability to the assuror. If the subject matter proves, contrary to the assurance statement, to be misstated, the assuror is fairly well-protected from torts initiated by those who have relied on it.

Liability is roughly correlated with reputation. In other words, if a certification agency only had the degree of confidence implicit in assurance when it issued its certifications, they would probably lose their credibility. However, the correlation is more exacting in the business world than in the wider public domain. In the case of financial audit, the transfer of liability to the auditor is consistently beneath public expectations. Audit has a reputation as certification against fraud – but is not considered so by auditors or by the law. Ha! See Millichamp (2002:2). This disparity is known, in a rather smug and patrician and euphemistic sort of way, as the “expectation gap.” Humphrey et al. (1992:57) argue that the expectation gap allows the accountancy profession to “convey an impression of responding to public concern; to reaffirm its independent and selfless image; to assert the validity of its own perspectives on the nature of the audit function; and to direct questioning away from the existing audit system to the limits of proposed reforms and solutions for closing the expectations gap.” For empirical work on the expectation gap see e.g. Monroe and Woodliff (2009).

Indeed, the boundaries of consultancy, certification, and assurance are in practice often blurred. There is an iterative quality to assurance, such that the responsible entity is advised periodically what steps are necessary to acquire an assurance statement. KPMG comment, “Once we receive a reasonable draft of the client’s sustainability report we can check whether the identified issues are covered and whether the information on a material issue is balanced. This is usually the start of a lively debate with the client about what different parties may perceive to be material for their organization, which is more difficult to define if the client’s own stakeholder engagement processes are not fully developed” (AccountAbility 2007:9).

In this way, assurance may drive improvements in CR reporting and underlying CR policies. However, Big Four descriptions of assurance accentuate how their independence can generate credibility, not how it can drive organisational change.

 This is our first indication of an orientation to the audit of financial statements. A brief history will help to explain. The link between audit and consultancy has been by far the most publicly contentious issue relating to auditor independence. In the late 1990s fierce criticism and a string of court cases persuaded all of the Big Five except Deloitte to sell or spin off their consultancy businesses. Deloitte also initially announced its intention to split into separate audit and consultancy firms. Following the collapse of Arthur Andersen (producing the Big Four from the Big Five) after its provision of dubious consultancy and audit services to Enron, a raft of tighter regulatory measures, notably the Sarbanes-Oxley Act 2002 in the US (“SOX”), seemed to take the problem of the relationship between audit and consultancy out of the Big Four’s hands. Deloitte thus elected to retain its consultancy business, which proved extremely profitable throughout the next decade. The other Big Four firms have quietly rebuilt their consultancy businesses. The issue remains a senstive one, however, and the Big Four seldom seek to thematise any complementarity of audit and consultancy.

But as Bendell (2005) argues, the link between CR consultancy and assurance is not so obviously problematic. Declining to assure a CR report does not lead to a dramatic loss of investor confidence, as is typical when an auditor refuses to sign off on a set of financial statements, or challenges a company’s “going concern” assumption. Similarly, “shopping around” for an assuror of CR reports is unlikely to make investors nervous in the same way switching auditors tends to, so ideas for organisatonal change can be drawn from a larger pool. Such advantages may outweigh the risk that assurors exaggerate the success of systems which, wearing their consultancy hats, they helped to design. See Beattie and Fernley (2003) for a literature review around auditor independence and the provision of non-audit services, and Cragg (2005:96-97) for examples of independence issues arising from consultancy in the context of CR report assurance and social audit.

The Deloitte web site offers a typical Big Four rationale for assurance: “As the importance in and reliance of [sic] these [CR] reports increases, there is a growing trend to add credibility to the information presented through assurance. The benefits include greater transparency, increased stakeholder confidence and enhanced regulatory compliance.”

The appeals to “greater transparency” and “increased stakeholder confidence” confirm that in Deloitte’s view, the point of assurance is credibility. “Enhanced regulatory compliance” whispers at organisational change, but it is an oblique phrase in need of some interpretation. Corporations in the UK are not legally obliged to undertake CR policies. The Companies Act 2006 requires that publicly listed companies include information in their annual report on “environmental matters,” “the company’s employees” and “social and community issues” (Section 417, Para 5). Assurance thus neither constitutes, nor falls under, any kind of state-mandated compliance regime. Listing “regulatory compliance” simpliciter as a benefit would make mandatory activities appear to depend on discretionary ones, and the main function of “enhanced” is to neutralise this connotation.

But there is also a ubiquitous expectation that CR will be increasingly legalised, and that reporting will be an early focus of this legalisation. For example, France has required publicly listed companies to publish annual environmental and social reports since 2001. A European Parliament resolution in 2007 recommended the revision of the Fourth Company Law Directive to include social and environmental reporting alongside financial reporting requirements. “Enhanced” thus also carries a sense of “ahead of the game” – organisations which assure their CR reports will find the transition easier when CR and CR reporting are inscribed in law. In this connection, “enhanced regulatory compliance” also imparts a sense of “enhanced standardisation”; that is, of compliance with widely-recognised standards like the G3, even though such guidelines are not regulatory in any straightforward sense.

That typo - a botched edit, actually - is exemplary of the kind of anxiety and confusion surrounding the purposes and priorities of CR reporting. It is likely that the phrase was originally “the reliance in and importance of these reports”; reliance connoting de facto market realities, importance with just a hint of idealism about it. The importance was deemed more important, but the editor left traces of his or her work.

Elsewhere Deloitte (2009:3) are confident enough to set a date on legalisation. “2015-2030 – Increasing legislation, regulation and tax policies force reactive organisations to adopt sustainable behaviour which now becomes a license to operate as unsustainable supply chains seem increasingly outdated. A few popular sustainable approaches and quality stamps emerge as standard, allowing benchmarking and greater consumer visibility. Increasing collaboration between non-competing organisations emerges as the main route to sustaining competitive advantage.”

From the Big Four’s perspective, responsibility for the economic, social and environmental impact of business is migrating inevitably from the public sector to the state sector, driven by ratcheting public expectations. Good CR policies, such as the assurance of CR reports, have their value in positioning businesses advantageously in this shift, and allowing them to shape a few of its specific characteristics.