When it comes down to assessing corporate sustainability performance and impacts, investors, rating agencies and other stakeholders have developed a growing appetite for accurate, relevant, consistent and comparable data. In a globalized world prone to economic volatility, alternative facts and corporate scandals, solid financial and “non-financial” disclosure is expected to serve them as a beacon of trust in a complex planning environment. The recently published Edelman Trust barometer for 2017 finds that, in a world where average trust levels have dropped below 50 percent, business remains “the one institution that retains some trust with those skeptical about the system, to prove that it is possible to act in the interest of shareholders and society alike.”
With the demand for reliable corporate disclosure being on the rise, so is the importance of assurance, particularly in unveiling inconsistencies, materially false or misleading information in financial, sustainability, and integrated reports.
In addition to internal auditing and control mechanisms, external assurance plays an increasingly important role in ensuring that the information provided to stakeholders is fairly presented and hence trustworthy. In a number of more mature markets, assurance professionals have already proven capable of providing assurance on sustainability disclosure and integrated reporting. The latter has been adopted by more than 1,500 companies around the world, particularly in Japan and South Africa, where integrated reporting has become mainstream.
According to the Global Reporting Initiative (GRI), more than 50 percent of the 40,000 reports listed in its Sustainability Disclosure Database indicate some form of external assurance. Among the world’s biggest companies (G250), the rate is at almost 75 percent, even though the actual scope varies considerably. As GRI contributes to the standardization of corporate reporting, the verifiability of sustainability data becomes even more important. As with financial reporting, external assurance of sustainability disclosures makes it more likely that the data will be used for decision-making by financial investors and other important stakeholders. The application of common electronic formats such as XBRL taxonomies to both financial and non-financial reporting streams further facilitates the integration, access to, and analysis of corporate disclosure. However, as trust is a delicate plant, any major incident of non-compliance in these reports – and particularly an intentional one – would be considered a breach of confidence and likely strike a blow to a company’s core value.
So how to ensure the accuracy of reporting information? At governance level, a company will try to make sure that the quality of its accounting, auditing and disclosure mechanisms is beyond reproach. It can do so by applying common standards such as, for example, the International Financial Reporting Standards (IFRS) issued by the International Accounting Standards Board (IASB) for financial reporting, the sustainability reporting guidelines provided by GRI, or the International Framework by the International Integrated Reporting Council (IIRC).
External auditors typically apply the International Standard on Assurance Engagements (ISAE 3000) issued by the International Auditing and Assurance Standards Board (IAASB) or the AA1000 Assurance Standard (2008) from AccountAbility. The latter is currently under revision for launch by mid-2017. In regard to non-financial and integrated reporting, there is still no global consensus on a set of overarching generally accepted assurance standards in practice. However, if they apply ISAE3000, non-professional accountants involved in assurance engagements are expected to meet the same demanding quality standards required by the International Standard of Quality Control (ISQC 1) for the assurers of financial statements and the International Ethics Standards Board for Accountants (IESBA).
Coping with cases of non-compliance
Despite a company’s best intentions and efforts to put forth a solid code of conduct for all its employees, it will still remain vulnerable to acts of non-compliance or misconduct, such as data manipulation, fraud or bribery. These so-called ‘NOCLARs’ may come to light in the process of financial reporting as well as in sustainability disclosure. They are defined as any act of omission or commission, intentional or unintentional, committed by a client or employer, which is contrary to prevailing legislation or regulations, and which affects the organization’s financial statements or its business in a material or fundamental way. An act of NOCLAR that causes substantial harm is one that would result in serious adverse consequences to investors, creditors, employees or the general public in financial or non-financial terms.
The trouble is that, until today, accountants, auditors and sustainability managers usually are left to their own devices when confronted with these types of occurrences. Especially when working alone or being put under pressure, the practitioner’s ability to take the right decision in this stressful situation widely depends on her or his personality, rationality, and level of professionalism. While major auditing firms can draw on internal support mechanisms, smaller firms and independent consultants often lack practical guidance on how to resolve a dilemma involving confidentiality or how to step up and stand the test as a whistle-blower. In many cases, professional accountants and auditors simply resign from their assignment without NOCLAR issues being appropriately addressed, let alone resolved.
Stepping into the breach for whistle-blowers
To this end, the IESBA has issued the NOCLAR Standard, a first-of-its-kind framework to offer straightforward guidance on what assurance and accounting professionals should do in case they discover or suspect a NOCLAR. It is the first time these experts will be permitted to set aside the duty of confidentiality to disclose a serious case of NOCLAR to an external authority. This includes considerations and actions such as:
- Specific communications with management and those charged with governance, assessing the appropriateness of their response to non-compliance and determining whether further action is needed.
- Communicating identified or suspected non-compliance with laws and regulations to other auditors (e.g., in an audit of group financial statements).
- Determining whether further action is needed, which may include reporting a NOCLAR to an appropriate authority outside the entity.
- Documenting in accordance with the requirements of the revised IESBA Code.
The standard also addresses circumstances in which public disclosure might not be advisable, for example if the absence of legal protection would expose the whistle-blower to the risk of professional liability or retaliation like threats to physical safety. The new NOCLAR standard will be effective from July 15, 2017. Brazil and Sri Lanka are among the first countries to implement it at the national level. At 28 pages, it is part of the IESBA’s International Code of Ethics Standard, which is currently being restructured and redrafted to enhance its understandability and usability. The restructured Code is due to be finalized in December 2017.
“Considering the growing integration of non-financial information into corporate reporting, I believe it is useful for non-accountants to understand the new NOCLAR standard and how it may help with non-compliance issues," states Jennifer Iansen-Rogers, Head of Corporate Assurance at ERM Certification and Verification Services. "Extending the framework to assurance professionals other than accountants would be beneficial to society because it would support the quality of internal and external assurance undertaken by consultants and accredited certification bodies."
In her opinion, the benefit of the new standard will largely depend on how it is implemented at the national level by regulatory bodies and law makers. “In case of a serious NOCLAR, auditors need to know to which authority they can turn to for legal backing,” she added.
In addition to its role as a standard setter, the IESBA sees itself as a trend-setter and promoter of the new standard, rather than a regulator.
“The IESBA believes that it is only one player in the global fight against NOCLAR,” emphasizes Ken Siong, IESBA’s Technical Director. “Governments, legislators and regulators are uniquely placed to introduce or strengthen legislation or regulation governing the reporting of NOCLAR, appropriately tailored to their national circumstances, including establishing appropriate protections for whistle-blowers.”
All participants in the reporting chain, especially management and those charged with governance, have an important role to play.
With the financial crisis and massive corporate scandals in mind, the new NOCLAR standard not only aims at protecting the assurance and accounting profession against reputational damage, it puts them into an active role of protecting stakeholders from potential harm from the consequences of NOCLAR such as data manipulation, fraud and other corporate malfeasance. As such, the new standard promotes good governance, corporate citizenship and the pursuit of the Sustainable Development Goals.