Companies are increasingly required to report on information other than their financial positions. This new emphasis on non-financial information encompasses environmental, social, anti-corruption and bribery, diversity and human rights factors. This report provides some early insights into how internal audit can and is beginning to be harnessed by organisations in the vanguard of this new era of corporate reporting.
Download this report (pdf)
A new era for corporate reporting is dawning as business strategies and how they are controlled come under greater scrutiny by their stakeholders including investors, customers, local communities, and legislative/regulatory policy-makers.
In 2013 the UK Government introduced a new regulation under the Companies Act requiring all incorporated entities to prepare a strategic report. This should provide a description of the entity’s strategy, objectives and business model, an explanation of the main trends and factors affecting the entity, including its principal risks and other nonfinancial information relating to the environment, employees, social, community, human rights issues and gender diversity.
In the same year, the International Integrated Reporting Council published its voluntary Integrated Reporting Framework. When adopted this enables organisations from all sectors to produce a concise and accessible report on how they create value in the context of their strategy, governance, performance and external environment.
The EU Council, in September 2014, adopted a Directive on non-financial reporting that will, from 2017, require companies to disclose a wider range of information, including policies, risks and outcomes on issues such as the environment, human rights, social, anti-corruption, diversity, etc.
But implementing these new types of reports presents challenges. They require organisations to bring together information on what may be disparate parts of the business into an inclusive view of its activities and impact.
One of the challenges is how to ensure that controls are effective, the right things are measured and that systems and processes are in place to capture the data needed for reporting purposes. The quality of those systems and outputs must be, as far as possible, evaluated and stakeholders assured on them so that reporting is accurate and reliable.
Internal audit has a broad view across the organisation’s systems and processes and it should have a role in providing assurance over quality of information contained in the strategic and integrated reports. This key role is well within the remit of a well resourced, appropriately positioned and influential internal audit function.
The Crown Estate is an independent commercial business, created by an Act of Parliament. Its role is to make sure that the land and property it invests in and manages is sustainably worked, developed and enjoyed to deliver the best value over the long term. The property managed by The Crown Estate is owned by the Crown but is not the private property of the monarch and its profits are returned to the Treasury for the benefit of all UK taxpayers. Over the last ten years, it has contributed over £2.2bn to the public finances.
The Crown Estate is managed by a board with clear governance structures. While it doesn’t have investors in the same way as a publicly traded company it is important for them to justify their licence to operate and tell the story of their proposition to all of their stakeholders, including the Treasury, and be as transparent as possible. This transparency builds trust and is a key driver of commercial success.
The Crown Estate published its first Integrated Report in 2013. They were building on a long history of sustainable business practice but had previously published separate reports. Integrated thinking has helped them to pose the question of how to create value in the short, medium and long term. To do this they have laid out a new vision for 2022 and have evolved their business planning process to make sure it takes account of the material issues that will influence their performance. In addition to understanding how they create value they have also developed an approach to measure that value they call “Total Contribution”. This goes beyond the financial returns to the social and environmental contributions its activities deliver for the United Kingdom.
The organisation set up a three-year plan to develop its approach to integrated reporting. Internal audit was brought in at year two working closely with one of the accounting firms in a co-sourced model.
To start the process off they asked what the material issues were and looked first at the key risks. A group including the Finance Director, the Head of Sustainability, corporate affairs, internal audit, legal, risk and representatives from the portfolios met monthly to integrate their thinking. They started with the risk register and reviewed it to assess what was really material. The behaviour and openness of the group was key to the successful collaboration. It was challenging to decide on what the material issues were but they found the debate itself extremely valuable. What drives materiality decisions is whether the issues are important to the board or not and they do not separate materiality between financial and non-financial. In fact, The Crown Estate stresses that all the material issues have financial and non-financial impacts.
The necessary conditions before an organisation starts on this journey are an understanding of sustainability issues and the level at which sustainability sits in the organisation, leadership support, and the right culture.
At SAB Miller, the Chair of the Audit Committee asked the Chief Internal Auditor to offer an opinion on whether the annual report is fair, balanced and understandable. Changes were made to the UK Corporate Governance Code in October 2012, requiring annual reports to be fair, balanced and understandable. As noted above, the strategic report guidance, published by the Financial Reporting Council (FRC) in 2014 builds on these changes. In developing its guidance, the FRC was mindful of ongoing developments in integrated reporting as there is a shared goal of improving the quality of corporate reporting.
As part of a risk-based approach to internal auditing the Chief Internal Auditor gives conclusions on a case-by-case basis on how well financial, operational and strategic risks are being managed. Using findings from audits carried out, plus other sources of information, he also provides management and the Audit Committee with a wider assessment of risk management effectiveness and the effectiveness of internal control.
Independently of each other the Chair of the Audit Committee and the Chief Internal Auditor felt that the Chief Internal Auditor should give an opinion on whether he thought the annual report was fair, balanced and understandable. The Audit Committee also asked the opinion of several other functions - management, the external auditors and the legal function – in order to reach its final conclusion. The Chief Internal Auditor felt the question showed that the Audit Committee values the input of internal audit and understands the uniquely broad view it has across the group’s activities and all levels of management.
This was a new requirement in a new area for internal audit and it was not possible to learn from what others had done before. As a starting point, the Chief Internal Auditor therefore looked for definitions of “fair, balanced and understandable”. There were several useful articles by the Big Four consultancies which, although they were not specifically aimed at internal audit, tried to define the terms. He then had to work out how these words could be folded into a practical approach – and then attach a lot more detail to that approach.
The work carried out by the Chief Internal Auditor contributed to a statement being included in SABMiller’s 2014 annual report, extracts from which are:
“At the request of the board, from 2014, the Audit Committee considers whether the annual report is fair, balanced and understandable and whether it provides the necessary information for shareholders to assess the group’s performance, business model and strategy.
…The committee reviewed and discussed with management the processes undertaken to ensure that the annual report was fair, balanced and understandable and reviewed drafts of the report themselves to consider if it appeared to be so. The committee also received reports from the Chief Internal Auditor and the external auditors on whether or not the results of their respective reviews and other work would suggest otherwise.
…Based on this, the committee recommended the annual report to the board as fair, balanced and understandable and providing the necessary information for shareholders to assess the group’s performance, business model and strategy”
The Chief Internal Auditor put himself in the shoes of the external investor/man on the street to check that the use of language in the report was user-friendly and also to make sure that it would reflect the realistic position of the company. He asked himself questions like: how is the year summarised by the chairman and the CEO? Are their summaries appropriate in relation to the numbers? Are the regional summaries accurate? Is the CFO’s report a fair assessment of performance?
The Chief Internal Auditor and his quality assurance manager began by reading the draft annual report and accounts separately, so that they could form opinions alone and then compared notes afterwards. The area they focused on was the narrative reporting rather than the accounts, as these were scrutinised by the external auditors, and in particular they looked at the overall review of performance and the forward looking statement.
This was not the first time the Chief Internal Auditor was seeing the information as there are well-established governance structures in place so he could see where each piece of information was coming from and they made sense to him. He also compared and contrasted the commentary in the report and accounts with what he knew had previously been reported to the Group Audit Committee. At this point, it was also useful to bring in the knowledge he had accumulated through discussions across the organisation and in visits to operations in other countries, as well as what he knew from formal reports and meetings. Some areas needed further explanation e.g. where charts were not related to the narrative around them.
After comparing notes with his Quality Assurance Manager, the Chief Internal Auditor asked for some clarifications from the contributors to the draft document. Selected sections of the report that referred to regional performance were sent to regional heads of internal audit to check whether they agreed with the report’s assessments on issues such as market dynamics and brand performance in their regions. The Chief Internal Auditor compared their responses with his own overview of what he knew was happening in their regional markets.
Having completed the work, he prepared a single page to present to the Audit Committee in May 2014. This explained the background to the request and then gave a simple, clear conclusion: “The fiscal 2014 draft annual report and accounts and associated draft preliminary announcement are fair, balanced and understandable”. He then gave a few points noted during the review – for example, some improvement opportunities – and explained how he had reached the opinion giving examples of the sources consulted.
SABMiller has ideal conditions in place for the HIA to get involved in this work - a strong governance structure with audit committees at group, regional and national levels. The Chief Internal Auditor sits in on all meetings at the regional level and some at the national level and also attends some executive committee meetings so he can see the execution of strategy at a day-to-day level. As well as this he has an internal audit team of about 120 people, so it helped that he could discuss his views with colleagues.
This kind of work is about points of measurement but also nuances and subtleties so showing judgement is critical. You need to be experienced to do it and use the experience you have gained throughout your career to help you form these judgements.
Philips has published an integrated Annual Report since 2008. The report links its business strategy with environmental and social trends; combining financial performance disclosures with sustainability performance data. Embedding sustainability into Philips’ strategy and reporting helped demonstrate the unified approach that the company has to its products which often have a direct impact on societal well-being.
The drive to publish an integrated annual report came from senior management in sustainability and control, supported by the top of the organisation. As with the other case studies, this is a crucial foundation for organisations to start to adopt integrated reporting.
There were three key factors behind the adoption of integrated reporting at Philips:
Based on the above factors, the decision was taken to integrate the two separate reports into one. Initially the integrated reporting work involved the company chief accountant and the global head of sustainability. As the report then developed more functions became involved such as group control, design and IT.
The production of an integrated report brought about business process improvement, especially related to sustainability reporting as it helped to speed up the reporting timelines of the non-financial functions to bring them into line with the finance teams’ reporting timelines which were faster and more well-established. This exercise in streamlining was challenging as it involved many stakeholders, some of whom were not used to the monthly and quarterly reporting “drumbeat” at first. But it developed over time. Next, the control procedures needed to be enhanced for the non-financial data.
Philips found that integrated reports attract a larger audience than annual financial reports, and have also helped to improve employee engagement as the reports highlight to employees what is happening in relation to the organisation’s strategy and they are proud that Philips takes sustainability seriously.
The company also continues to improve the interactivity of the annual report website with each integrated report that is issued. The website’s interactivity can be demonstrated for example by value creation in relation to the six forms of ‘capital’ - the user can click on each capital which then drills down into further detail on how the company creates value. Philips were also able to track user experience of the website which helped them understand what users thought was important and relevant.
Philips has shaped its own reporting framework, which it has developed further year by year by increasing the standard of sustainability assurance to match financial audit. This grew from a starting point of only providing limited assurance on sustainability. In 2008, KPMG, the external auditor, provided limited assurance on the non-financial information in the first integrated report.
The difficulty in providing higher levels of assurance around non-financial data lies in the lack of robust and reliable underpinning software. In 2010 Philips started a project with KPMG – ‘The road to reasonable assurance’ - which looked at getting higher levels of assurance on controls around non-financial information. For the environmental, health and safety and carbon footprint information they introduced a new system, Credit360, to manage the sustainability data to enable audit trails etc. From the 2011 annual report onwards it shows where reasonable assurance has been provided on non-financial data.
In 2014, internal audit became involved for the first time as the company hired an auditor with sustainability experience from PwC as a full-time employee to help with the function’s assurance work in this area. As time goes on they hope that much of the work that the external auditors provide assurance on will be able to be covered by internal audit.
Marks and Spencer plc (M&S) is a member of the International Integrated Reporting Council pilot and is committed to sustainable reporting principles and embedding sustainability into decision making. They intend to publish a fully integrated report within the next two years but started on the journey in their last report.
In 2014, for the first time, the strategic report included how their business model creates value. For example, there was further information about the broader value outputs such as the amount of training received by every customer assistant through to details of the company’s total cash tax contribution to the UK Exchequer. This was their first attempt which they intend to build on and further improve in future years.
They believe that the connections between the strategy, risk analysis and performance measures are necessary for an organisation to effectively communicate its ability to create and sustain value in the short, medium and long term. The teams across the organisation are working together to improve the processes that underpin the linkages between strategy, risk mitigation and key performance indicators so that they can be reported upon in an integrated report. Ultimately the integrated report should show how non-financial risks are mitigated to enhance financial value.
M&S believe that the primary audience for the integrated report is key investors and that the report should focus on the matters that the organisation perceives are material to success. There is an existing audience for sustainability reports who use the information as a benchmarking tool for social and environmental impacts and will continue to do so.
There is a joint internal audit and risk function at M&S. Group Risk facilitates the risk process that is ultimately owned by the Group Board. Internal Audit is accountable to the Audit Committee and uses a risk-based approach to provide independent assurance over the adequacy and effectiveness of the control environment, including controls related to key risks on the Group Risk Profile.
A wide range of non-financial issues including social, environmental and ethical are reported on in the company’s sustainability report known as the ‘Plan A’ report’. The Plan A report and annual report, have become much more integrated over time through the use of consistent key performance indicators (KPIs) and explanation of the business model.
The 2014 Plan A report contains around one hundred commitments, which have been made to tackle the social and environmental impact of the business (including some going back to 2007). These are ranked by M&S management in terms of importance to both stakeholders and to M&S. A big 4 firm provides audits the commitments which are of high importance to stakeholders and either high or medium importance to M&S. All other commitments (around half of the total) are audited by the internal audit team.
The evidence gathering procedures have been designed to obtain a limited level of assurance.
The internal audit team partners with the big 4 team to ensure a consistent approach, leveraging the big 4 team’s specialist expertise on sustainability auditing e.g. carbon neutrality. When conducting audits in the area of sustainability, internal audit makes use of an auditor with experience of auditing Plan A, alongside a newer colleague. In this way, newer members of the internal audit team get insight into the Company’s Plan A commitments and benefit from the experience of their more tenured colleague and the big 4 personnel.
Both the external assurance provider and internal audit have worked on providing assurance in this area for about a decade. This working relationship is one they can build on as the company moves further towards producing an integrated report in the future.