CSR assurance: growth industry

Corporate non-financial reporting has entered the business mainstream, with
two-thirds of the global FT500 publishing an environmental, sustainability or
‘corporate social responsibility’ report in 2007s.

These reports cover a range of issues, most usually environmental impacts,
but increasingly including social, ethical, supply chain and even human rights
issues. In ways they’re similar to annual report & accounts, so it’s not
surprising that many of them have an external assurance statement to demonstrate
that the information has been verified and may be relied upon.

Of the 3,000 CSR reports that will be published worldwide during 2008, around
750 will include an external assurance statement. But while verifications and
audits for year end accounts are usually closely regulated and follow a standard
format, this isn’t the case for the CSR assurance statements.

These reports are voluntary and the assurance statements aren’t regulated:
their scope, the way they’re approached and the format and wording of the
published assurance statements differ widely, making this a very confusing field
for practitioners and clients alike. There is no ‘common currency’ of
methodology, terms and definitions, and although there are various approaches
(see below for a brief outline of the two leading ones) there is no single
approach accepted and referenced by all provider types.

Our report looks at the individual elements and trends in the CSR assurance
market, and gives an overview and guide for the perplexed. Here are some of the
report’s findings.

Who’s providing CSR assurance statements?

Although there are several hundred different providers developing CSR
assurance statements, three major provider types dominate the market: The Big
Four, certification bodies and specialist consultancies. Together these provider
types account for around 90% of the market, with non-Big Four accountants
providing a further 2% share.

In 2005 The
International Auditing and
Assurance Standards Board (IAASB) issued ISAE 3000 as a standard for ‘other’
assurance engagements. This standard has been helpful for the accountants
operating in the CSR field, so useful in fact that although developed by
professional accountants for professional accountants, CSR assurance providers
outside the accountancy profession are beginning to use it and reference it in
their own statements.

The other specific standard in this field is the AA1000 Assurance Standard
developed by AccountAbility (accountability21.net). This standard may be used by
any assurance provider, and is used by accountants and non-accountants alike.

What are the trends?

Over the past decade we’ve seen growing professionalism and consolidation of
the CSR assurance market. The smaller providers ­ such as broader consultancies,
individuals, trade bodies, academics ­ are being edged out, and one of the
biggest winners are the Big Four, with their increasing specialisation and
global reach.

There are strong regional differences. Just under a third of European CSR
reports include an assurance statement, yet in North America this figures drops
to around 7%. Why is this? One possible explanation is that US reports do not
yet show the depth and breadth of issues seen in European reports. With
honourable exceptions, US companies appear more enthusiastic in reporting how
money is spent rather than how it’s earned (witness the 8% of top 100 US
companies currently producing ‘philanthropy’ reports rather than multi-issue CSR
reports) and it may be argued that this type of disclosure does not demand or
even benefit from external assurance.

How to ensure a CSR assurance statement is ‘meaningful’?

Our report demonstrates that the approach and communication of a CSR
assurance statement are largely dependent on the type of provider engaged to do
the work. In other words, an accountant, certification body or specialist
consultancy will each have their own specific views on what CSR assurance is all
about, with a body of evidence to back up their case. The ‘key elements’ (see
box) form a solid foundation for a ‘meaningful’ statement regardless of provider
type ­ if they are all included then a client, or an assurer, won’t go far
wrong.

However there are a couple of further pitfalls to avoid. If the assurance
provider also happens to be the company responsible for writing the report,
there’s an obvious potential conflict of interest and a clear lack of
independence. Nevertheless, several companies persist in doing just this. If
impartiality is fundamental to establishing trust through these reports, they’re
missing the mark.

A further variant is the ‘opinion statement’: a glowing statement by an
individual, perhaps an academic or even a ‘green celebrity’, with no stated
methodology or evidence of investigation. Invariably, such opinion statements
are passed off as verification or assurance statements. If you’re a client,
despite the superficial attraction, best to avoid this route. As the adage goes,
if a job’s worth doing at all, it’s worth doing properly!

The key elements

Using a combination of a best practice review across five countries and
references in relevant initiatives & standards, the following key elements
have been identified as essential for inclusion in a ‘meaningful’ CSR assurance
statement:

Reference to standardised approaches and levels of assurance. The most
commonly referenced approach is ISAE 3000, together with two others (AA1000AS
and the GRI guidelines). The levels of assurance outlined by ISAE 3000 are the
‘reasonable’ and ‘limited’ levels familiar to accountants worldwide, but other
provider types are beginning to introduce assurance levels of their own.

Specific declarations. It’s useful for the statement to include a range of
information including but not limited to: the statement’s intended audience, a
declaration of the provider’s independence, the respective responsibilities of
client and provider, any disclaimers.

Methodology. How has the work been conducted? Has the provider looked only at
internal paperwork, or have staff been interviewed, sites visited, data systems
scrutinised and external stakeholders questioned? Does the statement cover the
entire report or only selected information?

Provider recommendations and opinions. What are the provider’s views about
the about the report and the company’s performance? How might the report be
improved or performance enhanced? Often such information is provided in an
internal report, but it’s useful to include views in the public statement for
the benefit of external stakeholders.

Assurance conclusions. The most important key element – should be included in

every statement.

Paul Scott is MD of CorporateRegister.com. Its report,
The Assure View, is available as a free download from CorporateRegister.com