RAAS Consulting Ltd

Risk Management, Sustainability, XBRL and Innovation
Home
Sustainability
Drivers, Benefits, Risks
Why have a CSR Program
The Business Climate (ex)
SEC reporting and CSR
Sustainability in Troubled Times
Sustainability Reporting
Programme Implementation
Sustainability Issues
CSR Reporting Standards
Sustainability Audiences
Standards <-> Audience
Stakeholder Panels
Introduction to Assurance
Write for your audience
Expectations (survey)
Friedman
XBRL (Interactive Data)
RAAS and XBRL
ERM (Enterprise Risk Mana
Random Commentary
Articles, White Papers
Meet RAAS Consulting
Contact Us
Site Map
The Role of the Assurance Provider

(extract from the unpublished manuscript: The Business Climate, by Daniel Roberts, 2007 - 2009. for additional infomration or detailed discussion of individual assurance standards and options, contact the author on the Contact Us page, or e-mail to daniel.roberts01@gmail.com)

It has been a foundational premise of this document that CSR/Sustainability reports, to have relevance, need to be written with the needs of the audience in mind. Where this document differs from current assumptions is in the nature of the audience, and therefore the future authors of such reports. We believe that the future primary audiences for CSR/Sustainability reporting will be regulators and investors. As such, the information provided to these audiences, through a single report will evolve rapidly. Certainly overtly marketing focused reports of a CSR/Sustainability nature will continue to be produced, but these will become secondary.

Business reports provide regulators and investors with the information they require to have confidence that the company is complying with regulatory requirements and is structuring itself and functioning in line with strategic plans agreed by the Board of Directors, to the benefit of the shareholders. These two audiences, regulators and investors, need confidence that they can trust the information provided in the reports. Historically such confidence has been reserved for financial reports, and such confidence has been provided through the provision of assurance over the reports - the audit. Indeed, this also applied to the financial reports of privately held companies, with the audit report being a requirement of thei lending instituations.

As regulators move toward greater reporting requirements it is reasonable to expect the existing regulatory reporting regimes to evolve to incorporate CSR/Sustainability content and metrics. Also, as companies move to provide more information in their MD&As, the information provided will come under review, to a greater or lesser extent, by the external auditors.

In this chapter we explore the current and potential world of assurance over CSR/Sustainability reports. We'll consider the existing assurance frameworks and postulate some alternatives for the future provision of assurance.

Assurance over the report

Business reports are produced with the intent that the information will be used for decision making. This is as true for external business reporting as it is for internal reporting, and as true for marketing materials as it is for a purchase order.

As reports are produced for consumption and decision making, the consumers of the reports need to have confidence in the accuracy and relevance of the information that is being provided. Of course the information that is being provided is consumed within a context of all other information provided by the company and available in the market. For example, the sustainable investment industry views with a certain scorn the sustainability reports provided by tobacco and alcohol producers. As these types of companies are already tainted by their core business, their sustainability reports are not be accepted in a void. After all, an ammunitions factory could be lauded for it carbon footprint (pardon the pun) and community activity, but it is still an ammunitions factory.

Sustainability reports are just like other reports, and after other factors (such as the overall reputation, line of business and history of the reporting company) are taken into account, consumers want to confidently make use of the contents of the report.

As such, producers of the reports generally seek to provide consumers with confidence that the contents of the reports have been through a process of independent external validation - an "audit", and that assurance is provided by an independent external party. Such assurance can be an important aspect of reporting, as it provides confidence to the consumer of the information that such information can be trusted to fairly and accurately represent the actual situation as reported.

Taking Assurance Seriously

With the prevalence of "green-washing" and marketing hype that many CSR/Sustainability reports provide, the market (specifically the analyst, investor and regulator communities) will pay careful attention to the type of assurance being gained. Soft assurance, the kind of assurance provided by non-assurance or non-audit professional, or assurance provided under softer standards, will be ignored by the analyst community.
Investors and analysts trust assurance reports that give then confidence that in the information is accurate and complete, that internal controls are effective and thus halt or identify attempts to manipulate results, and that provide a level of confidence that is defensible in court.

Risk of Fraud (the balloon)

Corporate officers are now required (under the US Sarbanes-Oxley law – “SOX”) to certify that the reported results are accurate. These officers face criminal and potentially civil penalties if they knowingly certify inaccurate information in the reports.

While this has reduced the opportunity for direct financial statement fraud and misstatement, the concept of the balloon comes into play. Squeeze the balloon in one place, and it pops out in another. Misstatement of business information with the objective of misleading regulators, investors and analysts is a bit like the balloon. Tighter controls over financial reporting decreases the risk of misstatement of this information, but increases the danger of misstatement of unaudited information.

The fact of greater controls does not mean that the number of individuals willing, able or motivated to "fudge the numbers" has decreased, only that the opportunities have decreased.

Let us consider for a moment the reasons that information is misstated in the first place. Managers and executives in companies are given metrics and objectives that they need to achieve. These metrics could be operational, or could include improvements in share price or other external metrics. To commit fraud there need to be three factors; opportunity, reward and rationalization. Increased internal control quality under SOX has reduced the opportunity, but has done nothing to remove the other two motivations. Where the desire is to influence observers of a company's reported value in order to protect or increase personal reward, those who might have manipulated financial statements will find other externally visible measures they can manipulate. Unaudited information such as CSR/Sustainability information provides such an opportunity.

The investment analyst community use information well beyond the audited reports; non-financial or extra-financial information, projections, unaudited segment information, competitor profiles and performance and industry comparisons, to name a few. Unintentional reporting of inaccurate unaudited information can skew investor models, and intentionally misstated non-financial or extra-financial information could be used to intentionally alter analysts perceptions of a company.

Therefore we should not expect the tightening of systems of internal control and the introduction of penalties for the reporting of knowingly inaccurate information in audited reports to automatically reduce the volumes of intentionally misstated information.

To give an example, imagine a situation in which a company commits, at least in a CSR/Sustainability report, to reduce waste water by a given percentage or volume. Senior managers may have parts of their remuneration tied to achievement of these objectives. In such a case there is an incentive to influence reported results. As this information is not audited, but it is reported externally, senior management could decide to manipulate the results for both positive public relations and to meet personal targets and therefore protect bonuses and other remuneration. The resulting reports, while not audited, certainly are provided into a market place with the intent of influencing valuations of the company.

It should also be noted that we expect this risk to have a relatively short life, as we expect CSR/Sustainability information to become part of SEC and other regulatory reporting over the coming years. In the case of SEC registrant companies, the inclusion of CSR/Sustainability measures into mandated reports could result in this information becoming audited information under the reporting responsibility of the CFO or Finance Director. More importantly this information will become subject to two key sections of Sarbanes-Oxley; 302 and 404.

Under section 302 the CFO and CEO need to certify that the reported restuls are accurate, with penalties for knowingly reporting inaccurate information. Inclusion of CSR/Sustainability information under this section will result in this information coming under significant additional internal scrutiny, and review by the external audit community.

Should CSR/Sustainability information be considered part of the "Financial Statements" (or equivalent) then the creation of that information will become subject to section 404, and management will be required to both document and test the controls over the production of that information. In this scenario CSR/Sustainability information creation will become far more formalized and process driven, with correspondingly greater depth and quality, resulting in consumers of the information having greater confidence in that information.