Wednesday, 19 June 2013

Corporate Responsibility Reporting Assurance (4)

Okay, a sort of interlude to peer into how the accountancy profession and other assurance providers hope to systematise CR reporting. My info here may be a little archaic (often to the tune of four or five years); I’ll try to bring it more up-to-date eventually, but in the meanwhile anyone who wants to chip in, please do!


Despite the mostly voluntary character of CR reporting and assurance, there are many signs of standardisation. Most of the largest 250 companies worldwide use guidelines developed by the Global Reporting Initiative (“GRI”), and they seem to try to keep pretty up-to-date.

Look a little closer, and the full extent of this standardisation is difficult to decipher. The GRI guidelines are widely used in some form or another, but the guidelines are designed to be incredibly flexible. Compliance with the G3 version of the guidelines comes at three “Application Levels” according to how many CR indicators the company is able to report on; compliance can be self-assessed, or checked by the GRI or by a third party; reports can also be assured or not (the next iteration, G4 is likely to drop this feature).

Assurance may also be restricted to certain aspects of a report, and it may be either at the “reasonable” or “limited” level. This last distinction relates to the amount of work done to verify the subject matter. Reasonable assurance results in a positive form of the assurance statement (“is fairly stated”) whereas limited assurance results in a negative form (“nothing has come to our attention to suggest that it is not fairly stated”). Statutory audit of financial statements is always at the reasonable level. Limited assurance is used in a variety of other contexts, for example, in quarterly reviews of financial statements. A KPMG survey in 2008 showed that “the majority of the G250 (51 percent) obtain report assurance that is a ‘limited level’ of assurance—a lower level that requires less work from the assurance provider and therefore lower costs. […] From a company perspective, choosing a limited level is not surprising since assurance on corporate responsibility information is mainly a voluntary activity.”

The most significant standard of assurance provision applicable to the Big Four is the ISAE3000, maintained by the International Federation of Accountants (“IFAC”) through the International Auditing and Assurance Standards Board (“IAASB”). For member organisations, ISAE3000 has become compulsory where there is no national alternative (such as the Australian AS/NZS 5911 standard). This applies to the Big Four through their memberships in ICAEW. Specialist assurance providers (such as SGS and Two Tomorrows) typically don’t use the ISAE3000. It is a very flexible, generic standard, applicable to a wide range of non-audit assurance engagements. It assumes that the scope of the assurance engagement will be set by the reporting entity. In the UK, the Auditing Practices Board (“APB”) has responsibility for implementing standards issued by the IAASB. It does not currently promulgate the ISAE3000. The APB has expressed the view that the ISAE3000 aims to address too broad a range assurance engagements.

Then there’s the AA1000AS standard. The AA1000AS was developed by the non-profit organisation AccountAbility specifically for the assurance of CR reporting. The Big Four comply with this standard at their clients’ discretion. The AA1000AS (2008) seems still to be the most recent incarnation.

KPMG describe their use of the AA1000APS (2003) as a two phase process. Phase 1 considers whether the scope and materiality of the report is appropriate. During Phase 1, KPMG run their own analysis of scope and materiality. This consists of establishing five input channels: stakeholder engagement; media search; sector knowledge (e.g. peer CR reports, industry body guidelines); client knowledge; and prior year CR commitments. Phase 2 considers whether the individual claims are accurate and complete. Phase 2 is a lengthy process of identifying and taxonomising material assertions. “This results in a detailed assurance plan (including a list of people to be interviewed and a list of the required documentary evidence) at corporate, business/regional and site level (if relevant), together with the selection of sites to be visited. The type and amount of evidence required varies depending on the type of assertion and the level of assurance being sought.”

AA1000AS was developed to complement ISAE3000. For example, AA1000AS’s moderate and high levels of assurance, which the standard recommends for “new” and “mature” issues respectively, are intended to be consistent with ISAE3000’s “limited” and “reasonable” levels of assurance.

One important difference between the AA1000AS series and the ISAE3000 is that the assuror’s consideration of “materiality” is not limited in a scope set by the reporting entity. Materiality is a crucial concept of financial audit methodology, that has been carried over into assurance. Very loosely speaking, material information is significant information. It’s what matters. (I may get more detailed elsewhere).  Under the AA1000AS series, the assuror assesses the degree to which the reporting entity’s scope has correctly identified its stakeholders and their needs. In other words, the assuror must make judge the reporting entity’s choices about what is and is not significant, by appeal to its stakeholders.

So those are the main standards used in the assurance of CR reporting. The Big Four have also developed their own tools relating to CR reporting, for instance Deloitte’s Sustainability Reporting Scorecard (2004), thirty criteria against which to assess a CR report. I’m not sure how much uptake there was of this.


There is comparatively little independent monitoring of this assurance itself (well, you do have to stop somewhere, I suppose). The G3 includes guidance on satisfactory assurance, but compliance must be self-assessed. One GRI representative commented, “An organization should look at the definition on pg. 38 of the GRI Guidelines and make its own assessment in conjunction with the assurance provider as to how they wish to communicate their engagement publicly. We will not take a position on whether a given engagement does or does not constitute ‘external assurance’ as it is impossible for us to assess the full range of engagements put in front of us” (2009).

AccountAbility don’t monitor the use of the AA1000AS (2008) to a detailed level. Each use of the AA1000AS (2008) in an assurance statement requires payment of a license fee to AccountAbility. AccountAbility pre-checks only the statement itself, although an acceptable statement must include a description of methodology. In partnership with the International Register of Certificated Auditors (“IRCA”), AccountAbility offers individuals training and certification in the use of AA1000AS (2008). AccountAbility also has an assuror membership programme (which includes all of the Big Four). However, neither of these are requirements to use the AA1000AS (2008).

The accountancy profession’s self-regulation mechanisms monitor compliance with the ISAE3000. In the context of indepedence, it's worth pointing out that the organisations which embody these mechanisms scoop their members from the cream of the accountancy profession, including Big Four partners. A quick scan suggests that about half the members of the APB are current or former associates of the Big Four, with the remainder drawn from business, law or academic backgrounds. The Big Four are also well-represented on the IFAC board.

High-level oversight of the ISAE3000 is provided by the Public Interest Oversight Board (“PIOB”), an extension of IFAC. In the UK, an infringement of the ISAE3000 would be reported to the professional body of which the firm or one of its employees was a member. All of the Big Four are institutional members of the Institute of Chartered Accountants in England and Wales (“ICAEW”). The Financial Reporting Council (“FRC”) is the UK’s independent regulator responsible for the accountancy and audit profession. The FRC, through its Professional Oversight Board (“POB”) has a statutory responsibility to ensure that these bodies have effective arrangements in place to investigate complaints against their members and member firms. The FRC recommends that professional bodies escalate cases concerning the public interest to its Accountancy & Actuarial Discipline Board (“AADB”). The AADB may also autonomously initiate investigations. As noted above, the APB does not currently promulgate the ISAE3000. In 2009, Executive Director of the APB commented, “While the ICAEW have some sort of monitoring of all services provided by audit firms in the UK (Practice Assurance), in reality I think it is fair to say that there is no monitoring of compliance with it [the ISAE3000].” There is thus something of a regulatory gap; certainly there is less oversight of this standard than of comparable audit standards.

A few more bits & pieces

In addition to all these standards and frameworks described, the Big Four aim to conduct their assurance work in accordance with the Code of Ethics for Professional Accountants, maintained by IFAC’s International Ethics Standards Board for Accountants (“IESBA”), as well as with their own codes of conduct and independence policies, and with appropriate national laws.

Important national legislation includes SOX, enacted in the US in 2002 in the aftermath of a number of major corporate and accounting scandals, above all the collapse of Enron and subsequently of their auditors, Arthur Andersen. Among its provisions, it prohibits professional services firms from doing audit and certain consultancy work for the same client. SOX also extends the scope of statutory audit to a range of internal fraud-prevention controls. ICAEW comments, “The most effective way to ensure the reality of independence is to provide guidance centred around a framework of principles rather than a detailed set of rules that can be complied with to the letter but circumvented in substance.” The focus of these blog posts is the UK system, characterized by this “principles”-based approach. It should be noted however that in the US context, largely as a consequence of SOX, threats to independence are subject to far greater “bright line” legislative specification and governmental regulation.

Finally, an there is the Audit Firm Governance Code, a code of best practice applicable to firms that audit more than twenty listed companies. This comprises the Big Four and four other large professional services firms. As far as I’m aware this doesn’t contain any provisions which are not chiefly oriented to the audit of financial statements.

Okay! Onward!

No comments: