Sustainability Assurance:
Fad, Frustration or Future?
F
or those still left unaware, the King Code
of Corporate Governance has, for the
past several years, and through the King
II and King III versions, recommended the
following:
1. Companies ought to produce an
Integrated Annual Report (IAR), preferably
in accordance with the Global Reporting
Initiative Guidelines on Sustainability,
known as “the GRI Guidelines”.
2. Companies ought to ensure that the
sustainability content within an IAR ought
to be assured by an independent third
party.
Put simply, companies can no longer
assume that it’s adequate to limit their
annual report to stakeholders to little more
than a set of financial statements, noting
that ‘stakeholders’ refers to interested and
affected parties beyond those who are
deemed ‘shareholders’ based solely on their
purchase of an interest in the company.
Granted, the Income Statement, Balance
Sheet, Cash Flow Statement and Changes
in Equity Report are all vitally important,
particularly to shareholders, but limiting
annual reporting to these statements has
become increasingly viewed as an inadequate
mechanism for communicating the overall
impact a company has on its sphere of
influence. Thus, King III recommends that
companies ought to not only expand reporting
to include social and environmental impacts of
their business activities, but to seek a similar
level of assurance over these “non-financial
impacts” as they would obtain from a financial
audit.
In business, there’s no such thing as
a “non-financial impact”, as all things
can ultimately be traced to the income
statement and/or balance sheet. What
might appear to be a selfless attempt
to reduce carbon emissions, and thus
positively affect climate change, is
ultimately a cost-saving initiative aimed
at reducing electricity and/or fuel
consumption. Equally, the taking of a moral
high road to make the workplace more
‘employee friendly’ is an effective strategy
to reduce the costs associated with high
employee turnover, or days lost due to
strike action. Thus, one can reasonably
assert that all things “sustainability” are
ultimately “financial”.
Although widely misunderstood, and
frequently misinterpreted by those seeking to
mislead their financial audit clients, King III’s
recommendation of “combined assurance”
encourages companies to ensure that a
comprehensive process is established to
meet the following objectives:
1. Identify and prioritize the company’s key
risks
2. Assess whether or not each risk requires
some form of assurance
3. Determine whether the required
assurance can be provided by an
internal resource (e.g., Internal Audit), or
whether an external assurance provider
is required
4. Identify and select, where necessary,
the most appropriate assurance
provider based on technical expertise,
experience, and the potential to receive
some form of value add from the
process
5. Assign internal responsibility for
managing the assurance process and
its outcomes (e.g., BBBEE auditors
reporting in to the Social & Ethics
Committee, or Occupational Health &
Safety auditors reporting to the Risk and/
or Audit Committee)
by Michael H Rea
factual accounting records, leading to near
catastrophic losses of shareholder wealth,
resulted in governments, particularly the US
and UK governments of the time, to institute
sweeping regulations that required companies
to make audited financial statements available
to shareholders. Unfortunately, this did not
necessarily eliminate problems associated
with transparency and/or accountability, but
rather trained reporting entities to speak
only of those things that could be measured
in terms of tangible assets. The intangibles,
such as people and the physical/natural
environment, were almost by definition
excluded from financial reporting rules and
standards. Moreover, the demand for audited
financial statements did not eliminate the
dubious practice of “creative accounting”,
which has far too frequently led to
monumental corporate scandals (see the Top
Five Worst Accounting Scandals, below).
Granted, one must respect the fact that
between the New York Stock Exchange
(NYSE) and the NASDAQ there are more than
5 000 listed companies in the US alone, and
those deemed ‘scandalous’, while noteworthy
and indicative of the on-going need for
procedural change, are among the minority in
terms of accounting behavior.
Top Accounting Scandals of All time
(http://www.accounting-degree.org/
scandals/)
6. Ensure that stakeholders are adequately
considered and/or engaged with respect
to the management and assurance of
each risk
Worldcom (2002)
R180 billion
Inflated assets by as much as $11 billion,
including inflating revenues with fake
accounting entries.
7. Ensure that stakeholders are duly, and
therefore transparently, informed of
any material findings from assurance
processes
Enron (2001)
$74 billion
Exclusion of huge debts from the balance
sheet that were not identified by Arthur
Anderson.
While the provision of audit opinions over
financial data is a tried and tested practice
dating back to Elizabethan England (mid
to late 1500s), the practice was limited to
government expenditures until early within
the 20th century. Although increasingly more
common among companies as a result of the
industrial revolution of the early 1800’s, the
almost universal expectation that companies
obtain independent audit opinions over
their financial records, particularly those
that are publicly listed, is widely regarded
as an outcome of the Wall Street market
crash of 1929. As with most crises, the
failure of companies to provide fair and
Bernie Madoff (2008)
$65 billion
Used a Ponzi scheme to bilk investors
out of $64.8 billion, but paying returns to
old investors using the income from new
ones.
Lehman Brothers (2008)
$50 billion
$50 billion in loans were disguised as
sales, leading to the largest bankruptcy in
US history.
Freddie Mac (2003)
$5 billion
$5 billion in earnings were misstated.
GBJ
11
However, one may wish to consider the
general commitment to transparency when
the independence of auditors is widely
regarded as ‘non-existent’ in a climate
where the average rotation period for the
Fortune 1000 companies is 22 years (GAO
Kills Mandatory Auditor Rotation, Fulcrum
Financial Group, 2003). Prior to the demise
of Arthur Anderson, the rotation period was
much higher, and it is reported that 10% of
the Fortune 1000 continue to have the same
auditor for an average of more than 75 years.
If one can argue that auditing does not
prevent financial malfeasance, is it not
therefore reasonable to ask whether
sustainability assurance can prevent social
and/or environmental misdeeds?
IARs) in the world include assurance from an
independent third party, of which 45.9% of all
assurance engagements were completed by
the “Big 4” accounting firms (i.e., Deloitte, EY,
KPMG and PWC).
Although the terms ‘audit’ and
‘assurance’ are frequently assumed to
be interchangeable, there is an important
semantic difference between the two,
most notably that while an audit is a
form of assurance, not all assurance
engagements are audits: the greater of the
two being the audit.
In fairness, the answer must be a fully
committed “No”. However, assurance is
not intended to predict and/or prevent
error, but rather to assess whether or not
companies are being fair and factual with
the sustainability content of their annual
reports. Just as financial audits evolved
into fraud detection and the testing of
financial accountability, assurance is rapidly
evolving into a mechanism for stakeholders
to trust the social and environmental
assertions companies publish within their
Integrated Annual Reports (IARs). Just as
corporate accounting scandals have led to
improvements in accounting and governance
standards, such as IFRS, the Sarbanes
Oxley Act and, of course, King III, social and
environmental scandals are rapidly increasing
the need for independent third party
assurance over the sustainability content
within IARs.
An audit is a test of whether or not
Question: Who provides assurance, and on
what basis?
AccountAbility’s AA1000 Assurance
Since the introduction of GRI-based
sustainability reporting in 1999, companies in
over 70 countries have not only adopted the
GRI Guidelines as a framework for reporting
(more than 2 200 companies fully applied the
Guidelines in 2011, while more than 2 000
more cited the GRI as a reference tool for
their reporting), but have sought assurance
over their reports. As disclosed in King III
and GRI+13, a 2012 Review of Sustainability
Reporting in SA (www.iras.co.za), 38.9%
of all GRI-based sustainability reports (or
involve specific and explicitly stated
12
GBJ
information is prepared in accordance with
specific rules, regulations and/or guidelines
(e.g., the International Finance Reporting
Standards, or ‘IFRS‘). This is generally a
‘yes’ or ‘no’ situation, with clear guidelines
as to how the auditor is expected to come
to their conclusion.
An assurance engagement is expected
to result in an expression of confidence
regarding whether intended users can
trust that reviewed information is fair
and factual, based on clearly stated
criteria (e.g., the GRI Guidelines, or
Principles). Although still expected to
criteria, or standards, an assurance
statement does not always require an audit
of data, and can be frequently deemed to
be little more than an ‘opinion’.
With 40.6% of all South African GRI-based
reports (52 of 128 reports, Figure 1) having
been assured, progress towards maximal
transparency and accountability in SA out
classes all but Spain (94 of 166 reports, or
56.6%), Sweden (63 of 125 reports, or 50.4%)
and Australia (37 of 91 reports, or 40.7%).
Moreover, and as per most of the top 10
reporting countries, the bulk of assurance
engagements are completed by the Big 4, but
with growing pressure from new role players.
Figure 2 (below) demonstrates the extent to
which assurance is being sought by many
of SA’s leading JSE-listed companies. While
only one company (Hulamin) has, at least to
our knowledge, opted not to seek assurance
after having had a report assured, several
have bounced between assurance providers
for what one can only assume is a lack of
confidence in their assurance provider (Note:
Toyota SA and Xstrata Alloys are not listed
companies, and no longer produce their
own sustainability reports). In some cases,
companies have even opted to engage the
services of two separate companies, most
possibly due to a deemed lack of adequate
capacity or experience in either one.
The rise of new assurance providers, from 6
in 2009 (including one that no longer assures
reports) to 10 in 2011 (13 known assurers
as from March 2013), suggests that there
is either an inadequate supply of assurance
providers relative to current demand in SA,
or that the existing role players are unable to
offer adequate ‘value add’ from their services
(or a combination thereof). The specific rise
of ERM as an assurance provider, having
poached a number of PWC’s top practitioners,
lays testament to a growing concern over
the Big 4’s ability to offer clients, and their
stakeholders, meaningful assurance. Although
not stated within their 2012 sustainability
report, one reads between the lines and
assumes that Sasol cannot obtain adequate
value for their assurance investment from
the likes of PWC, and therefore must rely on
the more technical assurance skills of ERM,
which is primarily home to engineers and
environmental scientists. The same is likely
to be said of Northam Platinum, who appear
to have wandered aimlessly through an
assurance wilderness, just as Goldfields and
Standard Bank appear to remain equally lost
Figure 1: Assurance Uptake per Country
Figure 2- History of Assurance Uptake in South Africa
Over the past few months, several incidents
have made it abundantly clear that the
concerns of many companies seeking
assurance are justified. Here are a few
examples:
• A JSE-listed company opted to teach their
assurance provider (new to the space)
how to provide assurance, using an
internal resource who previously worked
for a Big 4 firm.
• Assurance findings for a new client of a
non-Big 4 assurance provider identified
enormous gaps in historical data, even
though the data had been assured
by a Big 4 firm in each of the years
in question, ultimately leading to the
assurance statement being pulled from
the IAR by a Board heavily influenced by
representatives of the Big 4, on the basis
– among other misguided assertions –
that the assurer does not have to live up
to the same standards as accountancy
firms.
• Four assured reports, within our population
of 52 assured 2011 reports, were identified
as non-GRI compliant, even though GRI
compliance was identified as part of
the scope noted within the published
assurance statements.
• A non-listed entity recruited a company
known for shareholder activism to provide
assurance that does not adhere to any
local and/or international assurance
standards (ISAE 3000 or AA1000AS).
• A JSE-listed company openly declared
that they opted to forgo experience and
expertise in the assurance space for brand
recognition, thereby calling into question
whether their intent was to ensure that
the rubber stamp they were looking for
would be duly recognizable by enough
readers.
Clearly, there are some teething problems
within the assurance space, making it all the
more important for companies to do their
homework when choosing an assurance
provider. Moreover, there is increased need
for someone to step in and ensure that
assurance is meeting reasonable expectations
of value for the intended users of the
assurance (i.e., the assured company, and
the readers of their reports). It’s all well and
good for King III to recommend assurance,
making specific reference to the two most
prominent assurance standards – ISAE 3000
(exclusive to the accountancy firms, but
not desired by readers of reports due the
lack of a meaningful assurance statement)
and AccountAbility’s AA1000AS Assurance
Standard (open to all registered practitioners,
and the more useful in terms of assurance
outcomes and statements) – but the
recommendation must go further, so as to
create an expectation that assurance
GBJ
13
providers meet certain criteria before having
meaningless assurance statements placed
within corporate IARs. First and foremost,
there must be an adoption of standards
requiring that assurance statements add
value.
key data points included within the report.
Data is to be tracked to its source (e.g., meter
readings for electricity or water consumption),
and the reported information must be tested
to make sure there are no material errors and/
or omissions.
As companies, their stakeholders and
assurance practitioners accept that assurance
statements cannot be limited to blanket
conclusions using the double negative
– ‘Nothing has come to our attention to
lead us to believe that the information isn’t
correct’ – the risk will shift to companies
opting to exclude assurance statements from
their reports, almost completely negating
the purpose of assurance. While there are
no rules barring companies from making
reference to the assurance statement, and
then posting it as a separate document on
their website, all players must be diligent in
ensuring that access to assurance statements
is not hindered.
But what should this cost?
In the case of IRAS, we have developed a
new page on our website, purely to house
the assurance statements we produce, and
sign-off on, for our clients. In doing so, we
will ensure that our clients at least approach
the highest standards of transparency and
accountability, while informing other role
players about how effective assurance
statements ought to be written.
For these fees, companies should not only
receive an assurance statement for inclusion
within their IAR, or on their website as
an appendix to the IAR, but also a set of
management reports that ultimately help
inform the process of integrated reporting.
In fact, most would argue that the value
of assurance is not contained within the
assurance statement, per se, but rather in the
management feedback that occurs throughout
the assurance process.
More importantly, companies must become
much more alert to what an assurance
engagement ought to consist of, and what a
reasonable cost for assurance services ought
to be.
In fairness, one can over-simplify matters
and look at two different types of assurance
engagements: those that merely focus on
reporting processes; and those that also
look at data accuracy. In the former – what
in AccountAbility AA1000AS terms is a ‘Type
I’ engagement – the assurance provider
must conduct sufficient investigations to
determine whether the company’s reporting
processes – inclusive of policies, procedures,
systems and controls – adequately result
in the ability of stakeholders to access a
balanced account of the company’s economic,
social and environmental performance. This
can consist of desk research and interviews
with management, and should culminate in
reviews of the company’s integrated Annual
Report to assess whether or not reasonable
stakeholder concerns are adequately
addressed, whether the stories told within
the report are balanced (i.e., that the company
tells ‘all’ of the important stories, not just
the good ones), and that no material issues
are either glossed over or excluded from the
report.
In a Type II engagement, the assurance
provider is expected to do all of the Type
I tasks, but also to test the accuracy,
consistency, completeness and reliability of
14
GBJ
While it’s impossible to know what all of
the assurance role players currently charge,
it is possible to state that within our own
experience, over the past 5 years as a key
competitor in the assurance market, a Type I
assurance engagement should cost no more
than R120 000, while a Type II assurance
engagement, inclusive of 3-day site visits to
as many as 3 different operational sites, can
cost as much as R350 000. In some cases,
competitors may undercut these sorts of
rates, but in the majority of cases, assurance
providers attempt to inflate costs to well over
R500 000.
In closing, one should note that independent
third party assurance (ITPA) over the
sustainability content within IARs is not a fad.
Yes, it’s far-too-frequently causing frustration
for reporting entities and report readers
alike, but it’s not going away. As the world
continues to become more ‘connected’, and
as stakeholders increasingly revert to IARs
to obtain information about companies they
either want to work with or against, the value
of meaningful ITPA will continue to escalate.
The question is, will the assurers be ready?
10 of the World’s Worst Corporate
Environmental Disasters (www.
businesspundit.com/the-worlds-worstenvironmental-disasters-caused-by-companies/)
Gulf of Mexico, 2010
On April 20, 2010, a British Petroleum
(BP) contracted oil rig exploded in the Gulf
of Mexico, killing 11 workers. The leak
spewed an estimated equivalent of 70,000
– 100,000 barrels of oil per day, for 87
days. The trial is ongoing and expected to
last for months, if not years.
Niger Delta, 2006
On 26 December, an explosion and fire
along a Nigerian oil pipeline killed 200
people, with some sources claiming as
many as 500 deaths. This took place in a
densely populated area of Abule Egba, just
outside Lagos. The incident was blamed
on spillage caused by thieves who
siphoned fuel into a tanker. There was no
trial or fines incurred.
Ok Tedi, 1984 – 1999
For 15 years, Ok Tedi River Mining dumped
roughly 90 million tons of waste per
annum into its namesake river in Papa New
Guinea. This affected the way of life for
the 50,000 inhabitants of the 120 villages
along the river. The owner, Australia’s BHP,
was sued for $28.6 million and by 1999 has
dissolved their ownership of the mine.
Exxon-Valdez, 1989
On March 24, the Exxon Valdez, a 986-foot
tanker carrying over 1.2 million barrels of
oil ran aground while manoeuvring through
the Valdez Narrows in Alaska, spilling
257,000 barrels spilled into the narrows.
It cost the Exxon Shipping Company $2.1
billion, to employ of 10,000 people and
1,000 boats for four summers to clean up
the spill.
Bhopal, 1984
On December 3rd, toxic gases were
released at a Union Carbide pesticide
plant (now owned by Dow Chemical),
which killed more than 5,000 people in
the surrounding area, and affected an
estimated 500,000 residents who continue
to suffer from birth defects, blindness,
early menopause and various other
debilitating conditions. In 1989, Union
Carbide paid a $470 million settlement.
Three Mile Island, 1979
In March, a failure in a non-nuclear
section of a nuclear reactor at Three Mile
Island in Pennsylvania (USA) caused a
chain of events that led to the eventual
overheating and meltdown of the entire
nuclear plant. Releases of radioactivity
lead to the evacuation of pregnant women
and pre-school-aged children within a
five-mile radius of the plant. Thousands
of environmental samples, investigations
and assessments concluded that there
was negligible effect on the physical
environment. The plant is no longer in
operation.
Seveso, 1976
A reactor at ICMESA released a toxic cloud
containing roughly 2 700 kgs of chemicals
such as TCDD, a dioxin associated with
Agent Orange. It dispersed into Seveso (15
km north of Milan, Italy), resulting in mass
poisoning leading to hormone disruption,
cancers and immune and neurological
disorders. Most compensation claims were
held out of court, but the payment to the
government reached 20 billion lire.
Minamata Bay, 1932 – 1968
For 34 years, the Chisso Corporation
dumped mercury into Japan’s Minamata
Bay. Evidence began surfacing in 1954, but
Chisso paid-off doctors to keep residents
ignorant of neurological and birth defect
issues, which became known as Minamata
disease. Compensation amassed to more
than $80 million.
Lago Agrio, 1964 – 1993
Texaco’s run-off system from oil drilling
in the Ecuadorian rainforest produced 18
billion gallons of run-off into the Amazon
River. 30 000 plaintiffs suffered the high
levels of cancer. Damages sought were up
to $27 billion.
Love Canal, 1940s
The Hooker Chemical Company (USA)
dumped 21,800 tons of synthetics and
chemical byproducts into the Love Canal.
The Niagara Power and Development
Company permitted this because the
abandoned Niagara River canal had been
turned into a municipal dumping site.
However, a suburban neighborhood was
built close to the area and by the mid1970s residents were found to be suffering
from abnormal rates of miscarriages,
tumors and birth defects. In 1995,
Canal residents received $129 million in
restitution from Oxy Petroleum, the parent
company of Hooker Chemical.
Michael H Rea is the Managing Partner of Integrated Reporting & Assurance Services (IRAS) For
more information about IRAS, the upcoming launch of SA’s first Sustainability Data Transparency
Index (SDTI) , or the CSAP course, please contact Michael at [email protected].
To download IRAS’s latest research report, go to www.iras.co.za.
In the interests of transparency and accountability, the following is a list of our assurance peers,
colleagues and competitors. To gain an understanding of their services, please contact any of
the following ‘known’ assurance providers:
Assuredex
BDO
Deloitte
ERM
Ernst & Young (EY)
CA Assurance
Indyebo Consulting
KPMG
PKF
PwC
SRK Consulting
Kopano Xaba
Ursula van Eck
Nina le Riche
Simon Clarke
Jeremy Grist
Ben Pieters
Ndumi Medupe
Shireen Naidoo
Claire Jennings
Alison Ramsden
Donald Gibson
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
shireen.naidoo@ kpmg.co.za
[email protected]
[email protected]
[email protected]
GBJ
15