Back to Debate


Reassured by assurance?
(posted 10 June 2005)

Stimulators:
Richard Sykes - Shell
Geoff Lane - PricewaterhouseCoopers

Guests:
Nick Saunders - Yell Group
Ramon Arratia - Vodafone
Julia King - GSK
Matt Gorman - BAA
Nigel Pate - HSBC
Peter Mason - Ethical Performance
Alistair Clark - EBRD
Dominique Gangneux - Deloitte & Touche
Ilan Jacobs - Egg.

Richard Sykes has been involved in environmental assurance since the mid-90s. He began by explaining what he means by assurance. It is not the same as verification, which would be asserting the truth of statements. Nor is it a comment on performance. Assurance is an independent check on the quality of information in a report. (Much more on this later.)

The point should be to build credibility or trust in what a company says. But assurance should also help to improve the quality of the data a company produces, by improving the processes and controls behind it. So it should have value for the company – because the company wants reliable data and reliable controls, and because investors are increasingly interested. (This has a spin-off, because the more reliable internal controls are, the less external auditors have to do, but assurance should be for the company, not the auditors.)

It seems that there are powerful trends towards more assurance. Sarbanes-Oxley, for example, requires CEOs and CFOs to certify that any data which is material for shareholders are "accurate, relevant and balanced". Those senior executives are going to want assurance that they can make such statements without risking a spell in jail.

Shell has almost 10 years experience of reporting and assurance – more than most. But the need for assurance creates tensions between the group and the operating businesses, who don’t want to be pestered for data. That highlights the need to demonstrate internally that assurance can add value. That tension may increase with the Operating Financial Review (OFR), which will require auditors to sign off on the processes behind the OFR statements.

But CR reports are not just about data, and it may be useful to think of approaches to assuring social reports which are different from the conventional data-assurance concept. For example, Shell has experimented with local stakeholder panels that comment publicly on its performance within a specific community. Sykes feels that a statement from the panel is of greater value than statements from professional assurers.

Geoff Lane responded by agreeing that assurance must have some value, but pointed out that value can arise in several ways. He stressed that the assurance relationship is not just between assurer and the company. It is a tripartite relationship which also includes the users of the report.


The main value to management is likely to be that the report they have produced is shown to reflect the company’s performance properly. But the assurance process may also drive change within the company in accordance with management objectives.

Assurance may also be necessary for other reasons:
- to win the support of stakeholder groups

- for processes such as emissions trading

- for due diligence in acquisitions

- to satisfy customers that the company is performing appropriately.

But whatever the benefits, good assurance must start with the company, not the assurer. It is up to the company to invest in engaging with stakeholders and creating suitable processes on which assurers can rely.

Currently there are different assurance models:

- the "Big Four" (auditors) approach, based on the financial assurance model, tightly controlled and increasingly restricted

- the certification approach, which is primarily concerned with management systems

- the "experts’ commentary" approach, using a public figure (such as Jonathon Porritt) to provide a testimony on what a company has been doing.

There are weaknesses in each approach. The first may be too rigid and its output may not be well understood. But the level of assurance provided by the other approaches may be questionable.

Perhaps the answer will be that different approaches may be used, possibly in combination, to suit the needs of different companies.

Much of the subsequent discussion centred on value, especially in the light of the cost of assurance to companies which may already be struggling to justify CR budgets.

It is clear that the nature of that value could vary widely. There could be value simply in the fact of having an assurance statement and process, to reassure readers of reports. There is also potential value for the company in the assurance process helping to improve internal controls and systems.

There could be value in what the assurers say publicly – but this seems impossible with formal "Big Four" audits which are constrained by formal statements and fears of litigation. That makes it highly unlikely that they could provide the kind of constructive criticism which other assurers (not related to the financial assurance world) are able to provide.

But there is also a major question around independence. Assurance statements are sometimes provided by specialist firms which also act as consultants. They may have provided the company with consultancy, and/or be hoping to do so in future. This obviously calls into question their independence and their willingness to be vigorous in their assurance. On the other hand, Big Four assurers are also likely to have a financial relationship with the company which could potentially compromise their independence. But there are advantages to the company by using the same firm to provide financial and CR assurance.

Companies may be helped by focusing on what stakeholders want, and that is likely to vary from sector to sector and possibly company to company. In many cases stakeholders are most concerned about specific issues, such as access to medicines or food health. In such cases they will not be looking for assurance of data, but for assurance that the company has engaged appropriately with stakeholders, and is responding, and that its reports reflect that.

Standardisation may not be helping to solve the assurance dilemmas. The accountancy profession’s new standard, ISAE3000, is hampered by the kind of defensiveness and jargon which is familiar from financial auditing. The AA1000 approach, on the other hand, struggles to convert the excellent principles into something that is useful in practice.

The feeling round our table seemed to be that there is an inexorable trend towards assurance, but that it is difficult to find an approach that satisfies what companies and stakeholders want, at a reasonable cost. As ever in CR, experimentation should be encouraged. We may not need 1,000 assurance flowers to bloom (and anyway, Mao is rather out of favour at the moment) but it seems that companies do need to avoid an assurance monoculture.