The role of inTernal audiT in non-financial and inTegraTed ... · how is integrated reporting...

The role of inTernal audiT in non-financial and

inTegraTed reporTing

forewordNon-financial reporting has

evolved considerably over the last decade. There has been a raft of new legislation and voluntary frameworks both in the UK and internationally highlighting the need

for organisations to demonstrate how they create

value in the long term.

In this report, we provide some early insights into how internal audit can and is beginning to be harnessed by organisations in the vanguard of this new era of corporate reporting.

There is a crucial role for internal audit here. It has a broad view across the whole organisation, knowledge of the sources of information, systems and processes that generate that information and understanding of the organisation’s risks and controls. These put it in the perfect place to give not only a comprehensive view of how the organisation manages its resources but also how it goes about collecting and quality assuring the information used for integrated reporting and the strategic report.

We are grateful to those who shared their experiences with us. While it is still early days for internal audit to be involved in non-financial reporting we hope that this paper will be useful to the profession as it is called upon to provide advice and assurance in this area.

dr ian petersChief Executive July 2015

contents3 Executive Summary

4 Section A: Integrated Reporting – the benefits and challenges

9 Section B: The role of internal audit in integrated reporting – assurance and advisory

13 Section C: Emerging practice – examples of internal audit’s involvement in non-financial, sustainability and integrated reporting

18 Annex 1 – Key questions for internal audit in relation to integrated reporting

19 Annex 2 – New reporting requirements

page 2 | The role of internal audit in non-financial and integrated reporting

In 2013 the UK Government introduced a new regulation under the Companies Act requiring all incorporated entities to prepare a strategic report. This should provide a description of the entity’s strategy, objectives and business model, an explanation of the main trends and factors affecting the entity, including its principal risks and other non-financial information relating to the environment, employees, social, community, human rights issues and gender diversity.

In the same year, the International Integrated Reporting Council (IIRC) published its voluntary Integrated Reporting Framework. When adopted this enables organisations from all sectors to produce a concise and accessible report on how they create value in the context of their strategy, governance, performance and external environment.

The EU Council, in September 2014, adopted a Directive on non-financial reporting that will, from 2017, require companies to disclose a wider range of information, including policies, risks and outcomes on issues such as the environment, human rights, social, anti-corruption, diversity, etc.

But implementing these new types of reports presents challenges. They require organisations to bring together information on what may be disparate parts of the business into an inclusive view of its activities and impact.

executive summary

A new era for corporate reporting is dawning as business strategies and how they are controlled come under greater scrutiny by their stakeholders including investors, customers, local communities, and legislative/regulatory policy-makers.

One of the challenges is how to ensure that controls are effective, the right things are measured and that systems and processes are in place to capture the data needed for reporting purposes. The quality of those systems and outputs must be, as far as possible, evaluated and stakeholders assured on them so that reporting is accurate and reliable.

Internal audit has a broad view across the organisation’s systems and processes and it should have a role in providing assurance over the quality of information contained in the strategic and integrated reports. This key role is well within the remit of a well resourced, appropriately positioned and influential internal audit function.

This report is in three sections

• An explanation of integrated reporting and its benefits and challenges

• The use of internal audit in integrated reporting – the theory

• Internal audit’s role in non-financial and integrated reporting – emerging practice

The role of internal audit in non-financial and integrated reporting | page 3

Organisations, especially big businesses, produce a huge number of corporate reports containing large amounts of data and detail each year. These include the annual report, the chairman’s review, the corporate social responsibility (CSR) report, the operating review etc. In the UK, statutory reporting requirements for annual reports are set out in the Companies Act 2006. Narrative reporting continues to be under the spotlight, with proposed changes from both the UK and EU authorities driving increased accountability to all an organisation’s stakeholders (see annex 2). While the reports tell us a lot about the organisation in question they do not necessarily give a comprehensive sense of how the company’s performance relates to the business model, its effective use of resources and the long-term view of where the organisation is heading. Furthermore, it is rare that linkages are made between all these corporate reports.

Pressures to maximise short-term returns on investments and share prices are ever present, but the concept of stewardship suggests that helping a company thrive for years into the future should be what prudent directors on boards care most about rather than a narrow focus on maximising short-term shareholder value. Yet according to an article in the Harvard Business Review1, which reported on findings from a 2013 McKinsey study on the effectiveness of boards, only 22% of directors said their boards were completely aware of how their organisations created long term value.

The importance of environmental, social and governance (ESG) issues to investors and other stakeholders is underlined by corporate mishaps ranging from the Deepwater Horizon disaster to the collapse of a textile factory in Bangladesh. As a result there is a growing focus on organisations to report on these wider ESG impacts and dependencies.

Section a: integrated reporting – the benefits and challenges

In the private sector, for example, a study by EY2 found that two-thirds of global investors evaluate non-financial disclosures. However, only half of this group uses a structured process to make their assessments. Integrated reporting would help provide this standardised information to investors as well as benefitting other stakeholder groups. Ultimately such reporting and the behaviours that underpin it are vital for organisations that are serious about sustainability and managing reputational risk.

Integrated reporting, which is based on a voluntary framework, is looming large on the horizon. It represents an evolution in corporate reporting and its aim is to address some of the shortfalls associated with traditional financial-based reporting. Obscure and technical financial reporting, and the current practice of only reporting the financial status at a point in time, gives an incomplete picture of a company’s sustainability, long term value and continuing resilience. Conversely the information in an integrated report aims to show connections between financial, environmental and social impacts in a clear and concise manner.

1 Where Boards Fall Short, Harvard Business Review, January-February 2015

An integrated report is a concise communication about how an organization’s strategy, governance, performance and prospects, in the context of its external environment, lead to the creation of value in the short, medium and long term.

Source: IIRC

2 Tomorrow’s investment rules – global survey of institutional investors on non-financial performance, EY, 2014

An integrated report explains how an organization creates value over time. It therefore aims to provide insight about:

• The external environment that affects an organization

• The “capitals” (resources and the relationships used and affected by the organization), whether they are financial, manufactured, intellectual, human, social and relationship, and natural

• How the organization interacts with the external environment and the capitals to create value over the short, medium and long term.

Source: The International integrated reporting Framework, The IIRC (2013), p10


The IIRC was set up in 2010 by the Prince of Wales’ Accounting for Sustainability project, the International Federation of Accountants and the Global Reporting Initiative. The IIRC focuses on development of the integrated report and published the International Integrated Reporting Framework in December 2013.

integrated thinkingThe integrated reporting process is based on “integrated thinking”. Therefore integrated reporting can give teams across the organisation the opportunity to work together on their corporate reporting.

The Strategic reportThe Financial Reporting Council (FRC) has recognised the need for company reports to take a longer term view. In August 2013, the Government published new Regulations for the strategic report and directors’ report, resulting in an amendment to existing company law requirements. The main change was the introduction of a requirement for certain entities to prepare a strategic report as part of their annual report, and the FRC has subsequently published guidance3 to help them prepare a high quality strategic report which provides shareholders with a holistic and meaningful picture of the entity’s business model, strategy, development, performance, position and future prospects. Moreover, the 2014 changes to the Corporate Governance Code focused on the provision by companies of information about the risks which affect longer term viability.

In contrast to an integrated report, the strategic

report is an integral part of UK statutory corporate reporting, with its position in the annual report, purpose and content largely determined by legislation. It is worth noting, however, that the proposed International Integrated Reporting Framework encourages similar qualitative characteristics and content e.g. concise and clear communication; and connectivity of information.

Therefore strategic reports that follow the FRC guidance should result in reporting that is consistent with the International Integrated Reporting Framework. For example, one of the key elements within the FRC guidance is that the strategic report should be fair, balanced and understandable, and that directors should take into consideration the strategic report when ensuring that the annual report, when taken as a whole, is also fair, balanced and understandable. One of our case studies in section C gives an example of internal audit’s role in relation to judging this element of the annual report. Companies are starting to apply the new rules on the strategic report, and some see this as a potential route to full integrated reports.

Integrated thinking is the active consideration by an organization of the relationships between its various operating and functional units and the capitals that the organization uses or affects. Integrated thinking leads to integrated decision-making and actions that consider the creation of value over the short, medium and long term.

Source: IIRC

c.1.2. The directors should include in the annual report an explanation of the basis on which the company generates or preserves value over the longer term (the business model) and the strategy for delivering the objectives of the company.

Source: FRC Corporate Governance Code 2014

3 Guidance on the Strategic Report, Financial Reporting Council, June 2014


how is integrated reporting different to current reporting?

The benefits of integrated reportingThe diagram shows the potential benefits of integrated reporting (Eccles and Armbrester, 2011, ACCA, 2014a&b; Crutzen, 2014):

current reporting integrated reporting

Thinking Isolated Integrated

Stewardship Financial capital All forms of capital

Focus Past, financial Past and future, connected, strategic

Timeframe Short term Short, medium and long term

Trust Narrow disclosures Greater transparency

Adaptability Rule bound Responsive to individual circumstances

Conciseness Long and complex Concise and material

Use of technology Paper based Technology enabled

Source: Towards Integrated Reporting, Communicating Value in the 21st Century. The IIRC (2011)

Improvement in the process of stakeholder engagement process

Conformance with reporting requirements

Business performance

Short, medium, long term value creation

integrated reporting


The benefits of integrated reporting• Improvedstakeholderengagement:

Key stakeholders such as investors, analysts, data vendors and increasingly customers seek accurate information. More than 90% of investors surveyed by the ACCA in 20144 think that it would be valuable for companies to combine financial and non-financial information into an integrated reporting model.

This improvement in stakeholder relations can also enhance competitiveness, reduce supply-chain risks and ultimately improve an organisation’s reputation and brand.

• Businessperformance: Integrated reporting aims to reflect the execution of an organisation’s strategy and provide a better understanding of the key performance indicators underpinning the strategy. It also contributes to the enhancement of risk management systems by aligning the organisation’s risks more closely with its opportunities.

• Conformancewithreportingrequirements: Organisations are facing increasing regulatory demands in relation to financial and non-financial reporting (see annex 2). Therefore organisations should be prepared to comply with these reporting requirements and provide assurance to those charged with governance.

According to research by the ACCA5, which sought the views of 200 CFOs and other finance leaders, many companies remain sceptical about integrated reporting at present but most expect to migrate to the model at some point in the future. Just under 40% said that they are taking active steps towards an integrated reporting model but just under half of the ACCA’s survey respondents said that they are adopting a “wait and see” approach before making a decision.

Some may remain sceptical because even though the theoretical benefits of such a reporting process are quite obvious – there are some questions and challenges:

• Forgovernments,legislatorsandthepublic: what are the minimum levels of reporting criteria/metrics businesses should be expected to report on?

• Forbusinesses: to what extent should reporting go beyond complying with minimum standards. They also need to take into account the potential effect this would have on their relative competitive advantage.

The ACCA report also highlighted that CFOs consider that the main benefit of integrated reporting is to show that the organisation is an advocate of sustainability. Furthermore many CFOs said that it would enable organisations to align risks with opportunities, adopt a holistic view of the real drivers of corporate performance and to build stronger relationships with external stakeholders.

On the other hand, according to a recent survey of 500 leaders commissioned by the IIRC6 nearly 50% of CEOs, CFOs and COOs say they are moving towards integrated reporting. And 35% said they will adopt integrated reporting in the next two to three years.

4 Understanding Investors: the Changing Corporate Perspective, ACCA, 2014

5 Understanding Investors: the Changing Corporate Perspective, ACCA, 2014

6 Research by CIMA, AICPA and Black Sun commissioned by the IIRC, 2014


The key challenges in embedding integrated reporting in organisationsAs an organisation moves towards integrated reporting there will need to be a full understanding of the different factors which affect value creation over time, and the connections and interdependencies between these factors. There will also need to be a more joined-up approach to the way information is drawn together from across the organisation to report on performance.

Guidance on integrated reporting7 suggests that some elements of integrated reporting can be difficult to implement (such as conciseness) or even seem contradictory (conciseness vs. completeness; transparency vs. competitiveness, reporting constraints vs. operational performance). The right balance will need to be struck regarding:

• the scope and supporting information of the organisation’s integrated reporting

• communication of long term objectives or sensitive information on strategy

• management of several business models due to market and product diversity

• comparability without established and shared standards for each type of capital

• the processes ensuring the quality of disclosures

• the level and nature of assurance needed

• materiality for non-financial risks.

7 Enhancing Integrated Reporting, IIA institutes of France, the Netherlands, Norway, Spain, and the UK and Ireland, 2015

It will be important to make sure that organisations are measuring the right things and that effective systems, processes and controls are in place to capture the information and report on it. In other words, sound governance, risk management and control processes are fundamental foundations for integrated reporting.


Internal audit has a broad view across the whole organisation’s systems and processes, and an understanding of risks and controls. This puts it in an ideal position to provide advice and assurance around the information generated for integrated reporting.

Furthermore, some internal auditors, particularly in public sector organisations, produce an annual report where they provide an overall judgement on risk management and the effectiveness of internal

controls. With the move towards integrated reporting these reports may become more meaningful and add more value as they are naturally aligned to the integrated report.

Internal audit is well-placed to provide a range of advisory and assurance services in the area of integrated reporting. The fan8 shows this range in more detail.

SectionB:Theroleofinternalauditinintegratedreporting – assurance and advisory

8 Enhancing Integrated Reporting, IIA institutes of France, the Netherlands, Norway, Spain, and the UK and Ireland, 2015. Adapted from The role of internal audit in Enterprise-wide Risk Management, IIA Global position paper revised 2009

Core internal audit rolesin regard to <IR>

Legitimate internal auditroles with safeguards

Roles internal auditingshould not undertake

Cham

pioning the establishment of <IR>

Facilitating the establishment and

evaluation of the <IR> assurance map

Reviewing key risks and opportunities

Monitoring progress against the targets

set by those charged with governance

Providing assurance on data integrity

Evaluating the adequacy of governance,

risk management and controls processes related

to financial and non-financial capitals

Giving assurance that the principles

and content elements of the <IR> Framework

are correctly taken into account

Reviewing the organisational structure and

key information systems underlying <IR>

Giving assurance on the <IR> processesProviding information regardingpolicies and performance for which internal auditis directly accountable

Faci

litat

ing

the

des

ign

of a

sys

tem

atic

ap

pro

ach

to <

IR>

Cha

lleng

ing

the

orga

nisa

tion’

s re

port

ing

stra

tegy

Cha

lleng

ing

the

reas

onab

lene

ss o

f fut

ure

proj

ectio

ns

Fost

erin

g in

tegr

ated

thin

king

Advis

ory s

ervic

es d

urin

g pr

e-im

plem

enta

tion

stage

s

of <

IR>

to fa

cilita

te th

e de

sign

of a

dequ

ate

cont

rols

Insights

on the o

rgan

isatio

n’s va

lue crea

tion pro

cess

Setting m

ateria

lity lev

els

Imposing reporting processe

s

Taking decisions on <IR> strategy

Implementing risk responses

on management’s behalf

Accountability for <IR>


Internal audit’s role is likely to move from an advisory to an assurance role as the organisation’s integrated reporting programme becomes more mature. The example of The Crown Estate shows how internal audit is moving from an advisory role at the beginning of the organisation’s three-year plan towards an assurance role as the approach becomes more developed. As integrated reporting develops internal audit will also be tasked with assessing the process by which the report is constructed by determining whether there are robust internal systems for producing the report. This falls comfortably within the existing remit of internal audit. Key questions that internal audit can answer in relation to integrated reporting are outlined in annex 1.

Internal audit’s assurance role will not fundamentally change as it will continue to provide assurance to the board and the executive on how controls mitigate the risks to the entity.

combined assuranceCombined assurance is fundamentally about marshalling assurance provision so that the people governing the organisation and stakeholders know that objectives are being achieved through the management of risk. Internal audit can build on the role it already has in some areas in relation to providing combined assurance with external audit. Where it doesn’t already do this then working to the integrated reporting model can act as a catalyst to do so. As part of a combined assurance model internal audit can support external audit providers who will also have to go outside their comfort zone if they are to provide the same level of assurance over integrated reporting as over financial statements. The Marks and Spencer case study in section C shows how internal audit is working with a big 4 firm to provide combined assurance on sustainability reporting.

There is recognition that integrated reporting is a process in its infancy where there will be continued development, and claims of providing full, or even reasonable, assurance at this stage may later be seen as premature. Furthermore, whilst the degree of assurance which can be given in some areas may increase over time, there may remain areas where it will never be possible to provide assurance because of the nature of the reporting.

assurance around non-financial information and risk

There will be challenges relating to the internal controls, as there have been historically around any information that is presented outside of the finance process. The development of robust internal controls, however, has developed in other areas such as environmental impact and should do so too in integrated reporting.

In the short term there is a risk that the take-up causes confusion amongst investors, either because they do not accept the gradual approach, or they are misled by the assurance provided. However, this approach does not seem to have caused issues as yet for those early adopters.

Integrated reporting should also inform and improve risk management, providing additional focus on and measure of materiality i.e. those areas that matter to a business. There should be a responsibility to give a view on the reasonableness of both the process that delivers the conclusion and the conclusion itself. Internal audit can provide this view on non-financial materiality.

areas of assuranceInternal audit can provide a wide range of assurance to the board around the reliability of integrated reporting metrics through reviews of:

• The underlying processes for the production of the report including governance and “integrated thinking”.

• Risks related to integrated reporting identified in management’s and the board’s risk assessments concerning: reputation, compliance, operational issues and external stakeholder relationships.

• Materiality (mainly for non-financial information).

• The balance of conciseness and transparency in the report.

• The accuracy of the organisation’s business model as described in the report.


Skills

Internal audit can contribute significantly to the relevance of integrated reporting by looking at ‘new’ reporting areas required for integrated reporting that need to be measured and qualitative judgements made, including areas such as sustainability.

Many of the skills within the internal audit community that will enable them to provide assurance around integrated reporting are already there. As the integrated reporting process becomes more established in an entity internal auditors should be able to develop and practise those skills as they become more experienced in the field. The Philips example in section C shows that the internal audit function became involved once integrated reporting was well-established in the company and that as time goes on the function will be able to cover much of the work that is currently covered by the big 4 assurance providers.

how internal audit can work with other key functions that are involved in integrated reportingAs integrated reporting concerns internal control, risk management and governance issues senior leaders can champion activities and initiatives that relate to integrated reporting and seek to improve both hard and soft controls to the benefit of all key stakeholders. This can be achieved by ensuring that all layers of the control framework, – operational management, specialist compliance and risk management, assurance providers and those with ultimate responsibility for corporate governance are closely aligned.

Internal audit can play a key role to help facilitate knowledge sharing and “integrated thinking” by building on its relationships with key teams around the organisation and its broad knowledge of the organisation.

Internal audit can play an important role in prompting and widening organisational discussions about the introduction of integrated reporting in an organisation. As a result internal audit should be engaging with senior leaders with regard to questions of awareness, ownership and oversight of integrated reporting and how and when independent and objective assurance can be provided. Indeed this is where integrated reporting can help facilitate the provision of integrated assurance.

This will require internal auditors to enhance their existing skills and knowledge but this ‘upskilling’ is similar to debates on how internal audit will need to embrace different skills and methodologies when, for example, auditing strategic events and areas such as organisational culture9.

9 Culture and the role of internal audit – looking below the surface, IIA 2014


how is team involvement changing over time?

Source: IIRC Pilot Programme Research, 2014

The chart below shows which key functions are involved and how this is predicted to change over the next three years.

3 years ago

Today

Future

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

Boar

d/Dire

ctors

Corpo

rate

Comm

unica

tions

/Mar

ketin

g

Finan

ce

Human

Reso

urce

s

Inter

nal A

udit

Inves

tor R

elatio

ns

Lega

l/Com

pany

Secre

tary Ris

k

Stra

tegy

Susta

inabil

ity/C

orpo

rate

Resp

onsib

ility


The crown estate – integrated reporting

Background

The Crown Estate is an independent commercial business, created by an Act of Parliament. Its role is to make sure that the land and property it invests in and manages is sustainably worked, developed and enjoyed to deliver the best value over the long term. The property managed by The Crown Estate is owned by the Crown but is not the private property of the monarch and its profits are returned to the Treasury for the benefit of all UK taxpayers. Over the last ten years, it has contributed over £2.2bn to the public finances.

The Crown Estate is managed by a board with clear governance structures. While it doesn’t have investors in the same way as a publicly traded company it is important for them to justify their licence to operate and tell the story of their proposition to all of their stakeholders, including the Treasury, and be as transparent as possible. This transparency builds trust and is a key driver of commercial success.

The Crown Estate published its first Integrated Report in 2013. They were building on a long history of sustainable business practice but had previously published separate reports. Integrated thinking has helped them to pose the question of how to create value in the short, medium and long term. To do this they have laid out a new vision for 2022 and have evolved their business planning process to make sure it takes account of the material issues that will influence their performance. In addition to understanding how they create value they have also developed an approach to measure that value they call “Total Contribution”. This goes beyond the financial returns to the social and environmental contributions its activities deliver for the United Kingdom.

Methodology

The organisation set up a three-year plan to develop its approach to integrated reporting. Internal audit was brought in at year two working closely with one of the accounting firms in a co-sourced model.

• Year1 focused on understanding the business model. There were plenty of different perspectives on this so it took time to get a consensus.

• Year2 was about understanding what capitals and resources they rely on to do business and relating inputs, outputs and outcomes. They looked at the broader market and how they could play a role in that.

• Year3 will be about valuing non-financial returns and externalities.

To start the process off they asked what the material issues were and looked first at the key risks. A group including the Finance Director, the Head of Sustainability, corporate affairs, internal audit, legal, risk and representatives from the portfolios met monthly to integrate their thinking. They started with the risk register and reviewed it to assess what was really material. The behaviour and openness of the group was key to the successful collaboration. It was challenging to decide on what the material issues were but they found the debate itself extremely valuable. What drives materiality decisions is whether the issues are important to the board or not and they do not separate materiality between financial and non-financial. In fact, The Crown Estate stresses that all the material issues have financial and non-financial impacts.

concluding thoughts

The necessary conditions before an organisation starts on this journey:

• an understanding of sustainability issues and the level at which sustainability sits in the organisation,

• leadership support, and • the right culture.

Section c: emerging practice – examples of internalaudit’sinvolvementinnon-financial,sustainability and integrated reporting

There are a number of routes organisations can take at the start of the journey into integrated reporting. The four case studies below outline different approaches to reporting and providing assurance on non-financial metrics.


SABMiller–Judging the annual reportAt SAB Miller, the Chair of the Audit Committee asked the Chief Internal Auditor to offer an opinion on whether the annual report is fair, balanced and understandable. Changes were made to the UK Corporate Governance Code in October 2012, requiring annual reports to be fair, balanced and understandable. As noted above, the strategic report guidance, published by the Financial Reporting Council (FRC) in 2014 builds on these changes. In developing its guidance, the FRC was mindful of ongoing developments in integrated reporting as there is a shared goal of improving the quality of corporate reporting. More detail on these changes can be found in annex 2.

Background

As part of a risk-based approach to internal auditing the Chief Internal Auditor gives conclusions on a case-by-case basis on how well financial, operational and strategic risks are being managed. Using findings from audits carried out, plus other sources of information, he also provides management and the Audit Committee with a wider assessment of risk management effectiveness and the effectiveness of internal control.

Independently of each other the Chair of the Audit Committee and the Chief Internal Auditor felt that the Chief Internal Auditor should give an opinion on whether he thought the annual report was fair, balanced and understandable. The Audit Committee also asked the opinion of several other functions – management, the external auditors and the legal function – in order to reach its final conclusion. The Chief Internal Auditor felt the question showed that the Audit Committee values the input of internal audit and understands the uniquely broad view it has across the group’s activities and all levels of management.

This was a new requirement in a new area for internal audit and it was not possible to learn from what others had done before. As a starting point, the Chief Internal Auditor therefore looked for definitions of “fair, balanced and understandable”. There were several useful articles by the Big Four consultancies which, although they were not specifically aimed at internal audit, tried to define the terms. He then had to work out how these words could be folded into a practical approach – and then attach a lot more detail to that approach.

Methodology

The Chief Internal Auditor put himself in the shoes of the external investor/man on the street to check that the use of language in the report was user-friendly and also to make sure that it would reflect the realistic position of the company. He asked himself questions like: how is the year summarised by the chairman and the CEO? Are their summaries appropriate in relation to the numbers? Are the regional summaries accurate? Is the CFO’s report a fair assessment of performance?

The Chief Internal Auditor and his quality assurance manager began by reading the draft annual report and accounts separately, so that they could form opinions alone and then compared notes afterwards. The area they focused on was the narrative reporting rather than the accounts, as these were scrutinised by the external auditors, and in particular they looked at the overall review of performance and the forward looking statement.

The work carried out by the Chief Internal Auditor contributed to a statement being included in SABMiller’s 2014 annual report, extracts from which are:

“At the request of the board, from 2014, the Audit Committee considers whether the annual report is fair, balanced and understandable and whether it provides the necessary information for shareholders to assess the group’s performance, business model and strategy.

…The committee reviewed and discussed with management the processes undertaken to ensure that the annual report was fair, balanced and understandable and reviewed drafts of the report themselves to consider if it appeared to be so. The committee also received reports from the Chief Internal Auditor and the external auditors on whether or not the results of their respective reviews and other work would suggest otherwise.

…Based on this, the committee recommended the annual report to the board as fair, balanced and understandable and providing the necessary information for shareholders to assess the group’s performance, business model and strategy”


This was not the first time the Chief Internal Auditor was seeing the information as there are well-established governance structures in place so he could see where each piece of information was coming from and they made sense to him. He also compared and contrasted the commentary in the report and accounts with what he knew had previously been reported to the Group Audit Committee. At this point, it was also useful to bring in the knowledge he had accumulated through discussions across the organisation and in visits to operations in other countries, as well as what he knew from formal reports and meetings. Some areas needed further explanation e.g. where charts were not related to the narrative around them.

After comparing notes with his Quality Assurance Manager, the Chief Internal Auditor asked for some clarifications from the contributors to the draft document. Selected sections of the report that referred to regional performance were sent to regional heads of internal audit to check whether they agreed with the report’s assessments on issues such as market dynamics and brand performance in their regions. The Chief Internal Auditor compared their responses with his own overview of what he knew was happening in their regional markets.

Having completed the work, he prepared a single page to present to the Audit Committee in May 2014. This explained the background to the request and then gave a simple, clear conclusion: “The fiscal 2014 draft annual report and accounts and associated draft preliminary announcement are fair, balanced and understandable”. He then gave a few points noted during the review – for example, some improvement opportunities – and explained how he had reached the opinion giving examples of the sources consulted.

concluding thoughts

SABMiller has ideal conditions in place for the HIA to get involved in this work – a strong governance structure with audit committees at group, regional and national levels. The Chief Internal Auditor sits in on all meetings at the regional level and some at the national level and also attends some executive committee meetings so he can see the execution of strategy at a day-to-day level. As well as this he has an internal audit team of about 120 people, so it helped that he could discuss his views with colleagues.

This kind of work is about points of measurement but also nuances and subtleties so showing judgement is critical. You need to be experienced to do it and use the experience you have gained throughout your career to help you form these judgements.


philips – integrated reporting

Background

Philips has published an integrated Annual Report since 2008. The report links its business strategy with environmental and social trends; combining financial performance disclosures with sustainability performance data. Embedding sustainability into Philips’ strategy and reporting helped demonstrate the unified approach that the company has to its products which often have a direct impact on societal well-being.

The drive to publish an integrated annual report came from senior management in sustainability and control, supported by the top of the organisation. As with the other case studies, this is a crucial foundation for organisations to start to adopt integrated reporting.

There were three key factors behind the adoption of integrated reporting at Philips:

• It was important to convey the extent to which sustainability is ingrained in the business strategy

• It helped with improved communication to stakeholders, particularly analysts and investors, through the simplicity of having one report where both financial and non-financial information could be found

• Reduced cost

Based on the above factors, the decision was taken to integrate the two separate reports into one. Initially the integrated reporting work involved the company chief accountant and the global head of sustainability. As the report then developed more functions became involved such as group control, design and IT.

BenefitsofIR

The production of an integrated report brought about business process improvement, especially related to sustainability reporting as it helped to speed up the reporting timelines of the non-financial functions to bring them into line with the finance teams’ reporting timelines which were faster and more well-established. This exercise in streamlining was challenging as it involved many stakeholders, some of whom were not used to the monthly and quarterly reporting “drumbeat” at first. But it developed over time. Next, the control procedures needed to be enhanced for the non-financial data.

Philips found that integrated reports attract a larger audience than annual financial reports, and have also helped to improve employee engagement as the reports highlight to employees what is happening in relation to the organisation’s strategy and they are proud that Philips takes sustainability seriously.

The company also continues to improve the interactivity of the annual report website with each integrated report that is issued. The website’s interactivity can be demonstrated for example by value creation in relation to the six forms of ‘capital’ – the user can click on each capital which then drills down into further detail on how the company creates value. Philips were also able to track user experience of the website which helped them understand what users thought was important and relevant.

assurance

Philips has shaped its own reporting framework, which it has developed further year by year by increasing the standard of sustainability assurance to match financial audit. This grew from a starting point of only providing limited assurance on sustainability. In 2008, KPMG, the external auditor, provided limited assurance on the non-financial information in the first integrated report.

The difficulty in providing higher levels of assurance around non-financial data lies in the lack of robust and reliable underpinning software. In 2010 Philips started a project with KPMG – ‘The road to reasonable assurance’ – which looked at getting higher levels of assurance on controls around non-financial information. For the environmental, health and safety and carbon footprint information they introduced a new system, Credit36010, to manage the sustainability data to enable audit trails etc. From the 2011 annual report onwards it shows where reasonable assurance has been provided on non-financial data.

In 2014, internal audit became involved for the first time as the company hired an auditor with sustainability experience from PwC as a full-time employee to help with the function’s assurance work in this area. As time goes on they hope that much of the work that the external auditors provide assurance on will be able to be covered by internal audit.

10 Credit360 is a specialist provider of sustainability software


Marks and Spencer plc – Sustainability reporting

Background

Marks and Spencer plc (M&S) is a member of the International Integrated Reporting Council pilot and is committed to sustainable reporting principles and embedding sustainability into decision making. They intend to publish a fully integrated report within the next two years but started on the journey in their last report.

In 2014, for the first time, the strategic report included how their business model creates value. For example, there was further information about the broader value outputs such as the amount of training received by every customer assistant through to details of the company’s total cash tax contribution to the UK Exchequer. This was their first attempt which they intend to build on and further improve in future years.

They believe that the connections between the strategy, risk analysis and performance measures are necessary for an organisation to effectively communicate its ability to create and sustain value in the short, medium and long term. The teams across the organisation are working together to improve the processes that underpin the linkages between strategy, risk mitigation and key performance indicators so that they can be reported upon in an integrated report. Ultimately the integrated report should show how non-financial risks are mitigated to enhance financial value.

M&S believe that the primary audience for the integrated report is key investors and that the report should focus on the matters that the organisation perceives are material to success. There is an existing audience for sustainability reports who use the information as a benchmarking tool for social and environmental impacts and will continue to do so.

internal audit and risk

There is a joint internal audit and risk function at M&S. Group Risk facilitates the risk process that is ultimately owned by the Group Board. Internal Audit is accountable to the Audit Committee and uses a risk-based approach to provide independent assurance over the adequacy and effectiveness of the control environment, including controls related to key risks on the Group Risk Profile.

assurance on the sustainability report

A wide range of non-financial issues including social, environmental and ethical are reported on in the company’s sustainability report known as the ‘Plan A’ report’. The Plan A report and annual report, have become much more integrated over time through the use of consistent key performance indicators (KPIs) and explanation of the business model.

The 2014 Plan A report contains around one hundred commitments, which have been made to tackle the social and environmental impact of the business (including some going back to 2007). These are ranked by M&S management in terms of importance to both stakeholders and to M&S. A big 4 firm provides audits the commitments which are of high importance to stakeholders and either high or medium importance to M&S. All other commitments (around half of the total) are audited by the internal audit team.

The evidence gathering procedures have been designed to obtain a limited level of assurance.

The internal audit team partners with the big 4 team to ensure a consistent approach, leveraging the big 4 team’s specialist expertise on sustainability auditing e.g. carbon neutrality. When conducting audits in the area of sustainability, internal audit makes use of an auditor with experience of auditing Plan A, alongside a newer colleague. In this way, newer members of the internal audit team get insight into the Company’s Plan A commitments and benefit from the experience of their more tenured colleague and the big 4 personnel.

Both the external assurance provider and internal audit have worked on providing assurance in this area for about a decade. This working relationship is one they can build on as the company moves further towards producing an integrated report in the future.


1. What are the existing governance, risk management and control processes to be leveraged by the organisation for integrated reporting purposes?

2. Does integrated reporting cover the material activities, capitals and stakeholders? Does it reflect the organisation’s current and future objectives?

3. Is the underlying process for the production of the integrated reporting adequate?

4. Does the integrated reporting scope reflect the organisation’s reporting strategy?

5. Is the information conveyed in the integrated reporting reliable?

6. What is the level of understanding of integrated reporting concepts and principles within the organisation?

7. Are key information providers to the integrated reporting such as risk management, finance and sustainability functions strategically aligned and future focused?

8. Are the responsibilities of the functions involved in the integrated reporting clearly defined? Are communication lines effective?

9. How is connectivity taken into account in the organisation’s IT governance?

10. Is financial and non-financial information correctly linked in the organisation’s value creation process? And in its external communications?

11. Is the information on the nature and the materiality of the interactions with stakeholders for the value creation process over time reliable?

12. Is web technology sufficiently leveraged for effective communication with stakeholders?

13. Does the process of selecting the organisation’s key stakeholders reflect capital ownerships and emerging trends?

14. Are the organisation’s responses to significant crises impacting key stakeholders adequate?

15. Do materiality determination processes ensure an alignment with the organisation’s value creation model and risk management system?

16. Are materiality thresholds taken into account in decision making and in interactions with key stakeholders?

17. Are material issues excluded from the report?

18. How are cross-references to internal and external sources managed and monitored?

19. Does the report adequately balance conciseness and transparency?

20. Are the standards and rules adopted by the organisation relevant as regards its reporting strategy and regulatory requirements? Are they effectively used across the organisation?

Annex1–Keyquestionsforinternalauditin relation to integrated reporting

Source: Enhancing Integrated Reporting a joint publication by the IIA institutes of France, the Netherlands, Norway, Spain and the UK and Ireland.


The european union directive on non-financial reporting

In September 2014, the European Council adopted the Directive on disclosure of non-financial and diversity information. The new rules will only apply to some large companies with more than 500 employees. In particular, large public-interest entities with more than 500 employees will be required to disclose certain non-financial information in their management report.

Companies concerned will need to disclose information on policies, risks and outcomes as regards environmental matters, social and employee-related aspects, respect for human rights, anti-corruption and bribery issues, and diversity in their board of directors. There will be significant flexibility for companies to disclose relevant information in the way that they consider most useful, or in a separate report.

Member States will have two years to transpose the Directive into national legislation. Therefore, companies concerned will have to start reporting as of their financial year 2017. The Commission is preparing non-binding guidance to facilitate this type of disclosure.

There is a major difference between this Directive and integrated reporting. The Directive focuses on environmental and social disclosures, which could be perceived as a step to integrated reporting. Integrated reporting goes beyond this by requiring the integration by companies of financial, environmental, social and other information in a comprehensive and coherent manner. This Directive does not require companies to comply with integrated reporting.

The European Confederation of Institutes of Internal Auditing (ECIIA) has published guidance11 which shows how internal audit can help organisations achieve better transparency in their reporting and improve their corporate governance when implementing the European Directive on Non-Financial Reporting.

Narrativereportingrequirements

As of October 2013, all quoted companies in the UK are now legally required12 to prepare a Strategic Report as part of their annual report unless they have an exemption. The purpose and required content of the Strategic Report, which replaces the Business Review, has the additional requirements for quoted companies to provide information on their business model and strategy in order to give investors an insight into the way the business is run and its strategic direction.

The majority of the disclosures in the EU Directive on Non-Financial Reporting are already reflected in

the Strategic Report requirements. The main change for UK quoted companies will be the introduction of disclosures on anti-corruption and bribery issues.

frc guidance on the Strategic report

In June 2014 the FRC published guidance on the Strategic Report. The guidance gives an overview of the various components of an annual report and considers where information should best be placed.

On assurance, the Guidance says: The source of disclosure requirements, and their location in the annual report or otherwise, will usually affect the level of assurance to which information is subjected (e.g. audit, review or no formal assurance). It is important that, as a minimum, it is clear which information has been subject to audit and which has not. This is particularly the case where the application of the guidance set out in this section has resulted in the splitting of disclosure requirements derived from a single legislative or regulatory source or the combination of requirements derived from different sources.

The global reporting initiative

The Global Reporting Initiative was founded in 1997 with a mission to provide the guidance and support that would make sustainability reporting standard practice. It issued its first reporting framework in 2000, and the GRI framework has evolved over time and become the benchmark for best practice in sustainability reporting. Over 11,000 companies now use the GRI framework as the basis of their reporting. In May 2013, GRI released the fourth generation of its Guidelines (G4).

The united nations guiding principles on BusinessandHumanRights

The United Nations argues that if reporting is to be meaningful then new approaches will be needed. It has produced the UN Guiding Principles Reporting Framework13 which is the first comprehensive guidance for companies to report on how they meet their responsibility to respect human rights in line with the UN Guiding Principles on Business and Human Rights.

The Framework is made up of 31 questions which companies should strive to answer to show that they are meeting their responsibility to respect human rights in practice. The UK Government has published a plan14 which marks the start of the UK’s work on implementing the UN Guiding Principles and it calls on businesses and civil society to help put the plan into action.

Annex2–Newreportingrequirements

13 UN Guiding Principles Reporting Framework with implementation guidance, 2015

14 Good Business, Implementing the UN Guiding Principles on Business and Human Rights, HM Government, September 2013

11 Non-Financial Reporting: Building trust with internal audit, ECIIA, 2015

12 The Companies Act 2006 (Strategic Report and Directors’ Report) Regulations 2013 (the ‘Regulations’)


www.iia.org.ukChartered Institute of Internal Auditors

13 Abbeville Mews 88 Clapham Park Road London SW4 7BX

tel 020 7498 0101fax 020 7978 2492email [email protected]

© July 2015

about the chartered institute of internal auditors First established in 1948, the Chartered Institute of Internal Auditors (IIA) obtained its Royal Charter in 2010. It is the only professional body dedicated exclusively to training, supporting and representing internal auditors in the UK and Ireland. It has over 8,700 members in all sectors of the economy including private companies, government departments, utilities, voluntary sector organisations, local authorities and public service organisations such as the National Health Service.

Over 2,000 members of the institute are Chartered Internal Auditors and have earned the designation CMIIA. Over 800 of our members hold the position of head of internal audit and the majority of FTSE 100 companies are represented amongst the institute’s membership.

Members of the Chartered Institute of Internal Auditors are part of a global network of over 180,000 members in 170 countries. All members across the globe work to the same International Standards and Code of Ethics.

More information on the Institute is available at www.iia.org.uk

The role of internal audit in non-financial and integrated reporting

The role of inTernal audiT in non-financial and inTegraTed ... · how is integrated reporting...

Documents

Transcript of The role of inTernal audiT in non-financial and inTegraTed ... · how is integrated reporting...