Ready to report
Deborah Evans, business manager for corporate reporting and assurance at LRQA, advises on how to establish a CSR report's contents and prepare for verification
A report must be responsive to stakeholder concerns, social responsible investment requirements and stock exchange indexes. It should also be inclusive of society concerns, transparent and accountable, and address performance and efficiency Where should a company start?
First the scope of the report needs to be defined. Scope relates to the company's footprint - where it operates and its impacts arising from processes and products. Companies can usually identify their main business operations and processes but are less clear about those associated with joint ventures and subsidiaries.
Likewise, reports on supply chain and product impacts tend to be less meaningful on issues that stakeholders believe companies can influence. For example child labour used in supply chains is not acceptable to many stakeholders, yet corporate reports rarely explain how companies are trying to tackle it.
There is no right or wrong scope as long as top management records its decision on whether the corporate report will cover all, or only significant issues. This decision is fundamental to the external assurance process for determining whether the report is "a fair and balanced representation". A company needs to be able to justify why certain company activities are not reported or else stakeholders may be misled.
External assurance is where independent auditors are contracted to review the company's corporate report to ensure that it addresses stakeholder concerns and that published data and information is correct. As assurance is constrained by commercial costs, these audits are conducted on a risk analysis basis and agreement that the company's decision on what it considers significant is valid. How often should companies produce a report?
Reporting periods tend to be annual - either calendar or financial. However, there may be a need for companies to report more frequently, in which case they must select an appropriate method of communicating their information - the frequency and type of media chosen has implications for the assurance process.What to report?
The basic contents of any report can be established readily by reviewing legislative requirements, peer reports and media coverage associated with the company and its industry sector. These provide the backbone of the report and the performance indicators that most stakeholders want a company to respond on. To-date more than 600 international companies have produced an annual report. The majority of these are based on guidelines such as the Global Reporting Initiative (GRI), Assurance Standard (AA1000 AS) and/or EMAS.
Identifying performance indicators unique to the company and inclusive of societal concerns is a more time-consuming process. Focus groups can help companies assess whether their activities are understood and enable constructive dialogue on key issues.
Information gathered at these meetings helps top management determine which concerns need to be addressed in the corporate report. This dialogue is vital if the report is to be relevant.
Stakeholders' main requirement for performance data is that it is in a format that allows for easy comparison. Therefore, when companies establish baseline data, it is worth them spending time on formulating clear processes for data monitoring, gathering, calculation and aggregation.
Effective implementation of these processes across the company takes time but ensures that the data is consistent and can be compared from year to year. Companies should continually strive for robust data collection systems.
For those issues that top management has decided to cover, performance reporting is usually annual. However, reporting trends provide stakeholders with a wider picture of the company's commitment to improvement as progress against objectives and targets is more apparent.
Where there is significant deviation (positive or negative) against a performance indicator, stakeholders should be told why. The inclusion of negative information can increase the credibility of the report as it helps to demonstrate a company's honesty.
Once a company has established the report's contents, performance measures and supporting data systems, the ownership of data and information needs to be assigned. This is important for internal accountability and external assurance.Independent assurance
The credibility of the data and information disclosed is critical and one that companies need to address.
Tom Delfgaauw, chair of AccountAbility, says: "The word of business is no longer believed, so independent assurance of reporting has become extremely important." This particularly applies following the Enron and Worldcom scandals.
The role of an assurance provider is to validate that the report is balanced, fair, complete, unbiased and that it provides a relevant account of the company's business.How should companies prepare for assurance?
Prior to the assurance audit, companies should be confident that all providers of data and information have double-checked the origins of their data. Internal audits and/or production of support files are both acceptable forms of evidence for auditors to base their assessment samples on.
Auditors will also require access to sites, records and data systems, so it is important to ensure that personnel are prepared and available for the assessment. However, very often these preparatory steps are not undertaken in-house due to resource constraints, so companies can gain significant benefits from an assurance assessment including:
- identification of specific gaps in performance indicators;
- identification of process improvements;
- a comprehensive evaluation of data collection systems; and
- an indication of the data's materiality, together with a list of errors discovered during the audit.
Companies should also ensure that there is time to carry out rewrites when data can't be substantiated and detailed data transcription checks. All too often the publication deadline occurs before the process is complete and assurance providers will want to see the final copy before issuing an assurance statement.Selecting an assurance provider
Essential to the credibility of any verification is the reputation of the assurance provider. Previous assurance experience and knowledge of the industry sector is key.
The provider must be able to demonstrate that competent personnel will be undertaking the verification. Depending on the nature of the business, it may be important to check the provider's international capabilities.
An additional selection criterion, following the financial auditing scandals of previous years, should be conflict of interest. Where possible the assurance provider should not have undertaken development or consultancy work within your company, or as a minimum declare their level of involvement.
Ultimately, assurance exists to ensure that companies manage their risk, integrate controls into day-to-day operations, change stakeholders' expectations and protect their corporate reputation. It is also to ensure that these corporate reports are a good read for stakeholders.