Investors and regulators are increasingly requiring companies to report non-financial information through environmental, social and governance reporting. In addition. companies have also taking a series of initiatives.for voluntary standards on climate change, social responsibility, strategies, business plans, risks and human rights. This presentation covers the definition, objerives and challenges in the non financial reporting, suggests an audit work program for non-financial information, and have a discussion case for greenhouse emission.
1. How to Audit Non-Financial
Information
Guidelines of IIA Spain
Nicolas Jerkovic
Chaiman Sustainability Committee
IIA Buenos Aires @InstitutoIAIA @NicolasJerkovic
Hernan Huwyler
Member of the Non-Financial Information Committee
IIA Madrid @AuditorInterno @hewyler
Buenos Aires, August 10th 2018
10. [10]
Why Relevant?
1975
S&P 500 Market Value
Today
Tangibles
Intangibles
Financial information
Audited annual statements
Non financial information
Reputation
Market differentiation
Credibility
Information gap
11. [11]
Why Relevant?
COSO 2013
NFI should have the same
rigor than NF
Non financial information
Complies with external
methodologies
Considers a required precision
level
Financial
+ Non
financial
12. [12]
Knowledge Factory
IIA Spain
Issue
Scope
Key IIA
members
Commission
Papers,
studies and
articles
Structure
Chairperson
Study groups
Peer review
Compilation
IIA Spain
Formatting
Approval
Diffusion
14. [14]
Non-Financial Information
Directive
2014/95/EU
non-financial
statements in
annual
reports
listed companies + FSI > staff 500
environmental, social and employee matters, respect
for human rights, anti-corruption and bribery
matters, board diversity
UN Global Compact, OECD guidelines, ISO 26000,
Global Reporting Initiative
no requirement regarding external audit's role in
respect of non-financial information
16. [16]
Non-Financial Information
Fragmented Past and
future
oriented
Immature
standards
Lacking
internal
policies
Assurance maps
Combined
assurance
Data integrity
audits
Link to non-
financial risks
Training for skills
gaps
Outsourcing
High-quality
assurance
Compliance effort
Traceability
17. [17]
Internal audit is uniquely situated within an organization to
provide insight on and support the implementation of
integrated reporting.
Internal audit:
• is familiar with process implementation in the organization
• can affect consistency of communication of metrics across
business units
• provides assurance to increase the credibility of metrics in the
non-financial report
• offers insight on potential risks to the organization
has a «seat at the table» from which it can influence the
adoption of Non-Financial Reporting to improve and strengthen
communications with internal and external stakeholders
Internal Audit Value Proposition
18. [18]
How to audit NFI?
Integrated
approach
based on
misreporting
risks
Materiality
External
reporting
Approvals
within 1st and
2nd lines of
defense
Confirmation
with 3Ps
Standards
ISO and
national
legislation
Clear
quantification
procedures
Validations
of data
collection and
KPIs
SMEs
Estimations!
19. [19]
How to audit NFI?
Audits on NFI
Assurance on
CSR reporting
Protection of
reputation
Scope
Internal and
external
reports
Regulated or
not
Roles
Auditing
Consultancy to
management
(Monitoring of GRC
projects)
Hot topics
How to audit
risks, business
plans and
compliance
NFI traceability
20. [20]
How to audit NFI?
Analytical
reviews
consistency
Benchmarking
industry
standards
Disclosure
explanatory
notes
Reasonability
physical or
chemical
relationships
correlations
21. [21]
How to audit NFI?
Governance
1 LoD
Set targets, collect and validate NF data,
calculate KPI
• Technical dept, operational reporting
2 LoD
Define reporting template and process
• Compliance, HSEQ, InfoSec, HR, CSR
3 LoD Reassurance that controls address NFI risks
22. [22]
How to audit NFI?
Standards
ISAE
3000
Assurance over non-financial information
• Internal control, sustainability and
compliance audits
• 3420 future FI, 3402 service organizations
ISAE
3410
Assurance engagements on greenhouse gas
• GHG statement is free from material
misstatement due to fraud or error
23. [23]
Tool SASB Five-Factor Test
What ESG data is important?
Direct
financial
impact
and risks
Legal and
complian
ce requie-
ments
Compe-
titive
driver
Stakeholder
concern
and social
trends
Opportu-
nity for
innova-
tion
Total
score
Eviro-
mental
GHG emisions 10 10 7 7 7 41
Air quality 5 7 5 5 5 27
Water management 8 6 7 5 10 36
Social Human rights 4 8 6 9 4 31
Community relations 3 5 5 10 2 25
Gover-
nance
Ethics 5 9 5 8 1 28
HSEQ 5 8 6 7 3 29
Risk management 10 9 8 7 7 41
Signed off by finance, EHSQ, legal, compliance, risk, investor relations, HR and IA
24. [24]
Tool Materialy Matrix
Importanceto
stakeholders
Impact on the organization
HighLow
High
CriticalResponsible
Not pertinent Strategic
Ethics
GHG
Air
Quality
Risks
HSEQ
Human
rights
Community
• Consultation to
stakeholders
• Media review
• Benchmarking
of ESG reports
• Industry reports
on trends and
issues
• Sustainability
risks
HR
Tax
+assurance
25. [25]
Case Study Carbon Audit
Primary data sources
Field Operation
Managers
Yield of soybean
> metric tons
per hectare,
equipment
runtime
Fleet Operations
Manager
Gasoline and
diesel fuel
consumed
> gallons
Cost Accounting
Analyst
Utility bills for
drying and
storage
> kW, gas cubic
feet
Fertilizers and
pesticides
> lbs
26. [26]
Case Study Carbon Audit
GHG quantification
Master data
•Plantations
•Facilities
•Fleet vehicles
•Equipment
•Land use change
Sustainability Reporting Manager
Voluntary
disclosure
reporting
GHG emissions of
soybean production
> kg CE/ton soybean
(CO2, N2O, CH4)
Standard
ISO 14064 standards
for greenhouse gas
accounting and
verification
Emissions
management software
+ Excel spreadsheets
27. [27]
Case Study Carbon Audit
1. Determine the scope and plan for the engagement
Reasonable assurance (high), voluntary reporting last 3 years, external annual report
(claims made, policies outlined and data published), company website and internal reports
on energy savings
2. Identify key risks
Discussions with the Sustainability Reporting Manager and the Cost Accounting Analyst
about scenarios (with current controls): system outage, activity data missing, improper
cut-off, data input errors, omitted plantations and equipment, inaccurate quantification
methodology, incorrect estimates
3. Determine the appropriate test approach
Synergies with financial audits of energy and gas invoices
4. Complete the engagement and document findings
28. [28]
Internal Audit Work Program
Accuracy
Data reflects the
reality
Conformance with
standards in
precision or detail
Verify that
•the primary data sources are accurate (clear internal data
questionnaires, measurement units and periods, certified
information reported by 3Ps)
•the secondary data sources are credible (databases from
recognized international organizations, government and
industry bodies)
•internal validations are done by independent and
competent personnel before submission (analytical reviews,
end-to-end recons, data checking, site visits,
reconfirmations)
29. [29]
Internal Audit Work Program
Accuracy
Data reflects the
reality
Conformance with
standards in
precision or detail
Verify that
•external assurance is obtained for nonfinancial reporting
•input data is compared to the applicable performance limits
•data based on estimations are clearly identified and
reviewed
Recalculate aggregation and conversion of NFI
Review conformance against standards
Sample testing against supporting documentation
30. [30]
Internal Audit Work Program
Consistency
Data is comparable
in two or more
representations
All systems reflects
the same
information
Verify that
•the policy for non-financial reporting is based on long-term
strategies and goals (e.g. differentiation, sustainability,
carbon reduction objectives, safety, compliance)
•the procedures for calculation of non-financial information
are based on specific and authoritative standards with
common definitions (e.g. ISO 14064 for carbon footprint,
updated procedures)
•the presentation of non-financial information is fair and
consistent from period to period (e.g. methodological
changes)
•KPIs variations against previous periods are investigated
31. [31]
Internal Audit Work Program
Completeness
Full coverage or
occurrence of
required data (not
for optional data)
Data can be traced
Verify that
•there are integrity checks of all operational data under
scope based on identified misreporting risks (control with
inventory of sites, no double-counting controls)
•data is managed with a reliable tool supporting the
collection, aggregation and reporting
•records of all relevant data, work papers and corrections
are retained
•supporting documentation is stored safely and is easily
accessible by relevant employees
Re-perform integrity controls (all periods, all sites)
32. [32]
Internal Audit Work Program
Relevance
Data is applicable
and helpful for the
objectives
Verify that
•there is a materiality assessment for reporting NFI to
internal and external shareholders
•compliance requirements are considered for external
disclosing (e.g. carbon accounting reporting, climate change
and carbon reporting, regulatory reporting to environmental
agencies)
•transparency meets key external stakeholder expectations
•stakeholders are aware of internal controls in place
regarding non-financial data
33. [33]
Internal Audit Work Program
Timeliness
Data is up to date
when decisions are
made
Verify that
•there are clear reporting timelines (communicated,
monitored, detailed allocation of tasks and due dates)
•NFI is reported on regular basis in compliance with
reporting requirements
34. [34]
Case Study Carbon Audit
Illustrative internal audit recommendations
Absence of a carbon reporting procedure
The procedure to collect, validate, control, calculate and report carbon emission is not
formalized. As a result, the disclosing of GHG emissions of soybean production in the
annual reports could contain unreliable information. In 2017, the spreadsheets for GHG
emission modeling lacked of consistent integrity controls and had discrepancies in the
electricity invoice dates for October and November. The Sustainability Reporting Manager
explained that spreadsheets containing formulas for GHG emissions were being improved
at that time. We recommend to define roles and responsibilities (RACI) based on the ISO
14064 and to establish an internal procedure with clear instructions.
35. [35]
Case Study Carbon Audit
Illustrative internal audit recommendations
Unreconciled supporting data
The GHG emission data included in the 2017 annual report is not reconciled to supporting
data. As a result, the disclosed data could have gaps in own-use electricity and gas and
omissions in soy plantation aggregates. In April 2017, the consumptions of natural gas
used in the grain dryers in Roque Perez and Murphy were omitted. In May 2017, the gas
consumption for Roque Perez showed a discrepancy in -1,000 cubic feet. The Cost
Controlling Analyst explained that the Field Operation Managers for these farms resigned
at that time and he was performing numerous other tasks which impacted in the controls.
We recommend to embed integrity controls against the plantation site master file in the
emissions management software.
36. [36]
Case Study Carbon Audit
Illustrative internal audit recommendations
Absence of retrospective adjustments
Changes in the methodology of calculating GHG emissions lacked of a retrospective
adjustments to past emissions data, including the 2014 baseline (base-year GHG
inventory). As a result, the disclosed GHG emissions of soybean production in the annual
reports could contain incomparable information. In 2017, key equivalencies and metrics
for GHG were adjusted in -5% to reflect sector-specific and country-specific
considerations. The Sustainability Reporting Manager confirmed that the 2014 baseline
was not updated with the new quantification methodology. We recommend to recalculate
the previously reported emissions and disclose the changes in the methodology.
37. [37]
Discussion how to audit?
People KPIs 2015 2016 2017
Average engagement score me@Company
survey
n/a 7.0 7.0
Employee attrition 4.2% 3.9% 4.4%
Attrition rate of high performers 1.7% 1.7% 1.8%
Promotion rate of high performers n/a 35% 37%
Promotion rate - overall n/a 12% 13%
% of people performance management
process completion
98% 98% 98%
% of development action plan completion 91% 92% 89%
38. [38]
Discussion how to audit?
Social KPIs 2015 2016 2017
Patients reached with diabetes care products
(estimate in millions)
26.8 28 27.7
Donations (DKK million) 105 106 103
New patent families (first filings) 77 74 65
Gender in management (ratio men:women) 60:40 59:41 60:40
Relevant employees trained in business
ethics
98% 99% 99%
Product recalls 2 6 6
Failed inspections 0 0 0