Thank You!

You are attempting to access subscriber-restricted content.

Are You Ready to Experience Everything Internal Auditor (Ia) Has to Offer?

Taking the Lead in Nonfinancial Reporting

Internal audit is well-positioned to examine how its organization reports on nonfinancial issues.​

Comments Views

B​y December, governments across Europe will need to have translated the European Union’s (EU’s) 2014 Directive on nonfinancial reporting into their national rule books. Formulated in response to the perceived short-termism that contributed to the global economic and financial crisis in 2007, the rules mandate that Europe’s top 6,000 companies disclose in their annual report and accounts how they are discharging their social, environmental, and ethical duties.

“Disclosure of nonfinancial information is vital for managing change towards a sustainable global economy by combining long-term profitability with social justice and environmental protection,” the 2014 Directive says. “In this context, disclosure of nonfinancial information helps the measuring, monitoring, and managing of undertakings’ performance and their impact on society.”

Who benefits most from this additional reporting burden? Nicolas Bernier-Abad — who is in charge of seeing the rules come to fruition at the European Commission’s Directorate General of Financial Stability, Financial Services, and Capital Markets Union — told internal auditors at a recent event organized by the European Confederation of Institutes of Internal Auditing in Brussels that nonfinancial reporting was “pro-business.” “The aim is not to create a new report, but to add content to the existing management report regarding environmental and social obligations, action to counter corruption and bribery, and in respect of human rights,” he said. He added that for executives and boards to understand what is going on in their own organizations, these issues had to be spoken about in the same way as one would talk about profit and loss.

While an estimated 2,000 companies in Europe already produce and use such information, the new Directive will set in motion the biggest compulsory reporting project of its kind. It is likely to help standardize what has been a growing trend globally during the past 10 years. The movement to provide more comprehensive reporting on matters that do not fall under the financial reporting remit has gathered ste​am under a range of titles — such as integrated reporting, corporate social responsibility reporting, and sustainability reporting — but thus far there is no agreed-upon approach or methodology to capture these disparate topics under a single reporting framework or set of standards.

A More Serious Document

European internal auditors who have been involved in developing nonfinancial reporting mechanisms tend to agree with Bernier-Abad’s assessment. While the reports do give investors, environmental pressure groups, and others a larger and more detailed window into the business’ operations, management also wins.

“In general, if you look at the development of sustainability reports in companies, there is a move away from producing a marketing document and toward producing a much more serious document where the company discloses how they perform in certain areas,” says Mark Jongejan, vice president, Group Internal Audit at the Danish brewer Carlsberg.

Internal audit not only assesses the accuracy of the specific key performance indicators to be disclosed in the report but has helped build an awareness within the company about the relevance of this type of reporting. “To be able to develop good strategies, you need reliable data,” he says. “The internal audits we performed in this area have enabled us to have discussions with management on how you organize the whole governance process around nonfinancial reporting, the roles and responsibilities needed, what kind of tools to deploy, and how you train your people in the organization.”

In the beverage industry, one big challenge is how to reduce water usage. “To be able to develop a good strategy and to set clear objectives for the coming three to four years, you have to know where you are at this point in time,” he says. “You need accurate data. You need good nonfinancial reporting systems.”

While the EU Directive is making nonfinancial reporting the norm for European companies like Carlsberg, there has been less pressure in the U.S. to go down this route, not least because the Sarbanes-Oxley Act of 2002 focused many businesses and their internal auditors on providing assurance primarily around financial controls. But that does not mean U.S. auditors are not engaged in such projects.

“Outside of the many U.S.-based multinational companies that are talking about this, the terminology really hasn’t caught on here yet,” says Jim Pelletier, IIA vice president, Professional Solutions. “Auditors who are taking a risk-based approach and are looking at the major objectives of the organization are likely to be hitting these areas — they’re just not calling it the same thing.”

Pelletier says the focus on nonfinancial reporting also marks a turn away from providing assurance on the traditional, historical performance of the company, to a view that looks ahead at the potential big risks that could impact the organization. Given the range and variety of risks that pose a threat today, it makes sense that many of those are nonfinancial in nature. In that sense, nonfinancial reporting is an acknowledgement that risk-based auditing has a crucial role to play in the long-term success of each organization.

Integrated Thinking

Silvio de Girolamo, group chief internal audit and corporate social responsibility officer at the food and beverage group Autogrill in Milan, Italy, is a contributor to the 2015 IIA report, Beyond the Numbers–Internal Audit’s Role in Nonfinancial Reporting. He says in many organizations — his own included — nonfinancial reporting has proved its worth to management in specific areas and has grown in stature from this success.

His experience at Autogrill mirrors that of Jongejan’s at Carlsberg. “When you begin to measure what is happening in these areas, you can start to manage those processes that you did not manage in the past and improve on them,” de Girolamo says. But there is an opportunity for internal audit to play a defining role in how nonfinancial reporting is to be developed because of the lack of prescription on how it should be implemented.

“Internal auditors can play a defining role by becoming change agents within their businesses,” he says. He accepts the move into these areas is a challenge for internal auditors, given their traditional focus on financial controls, but is confident that the profession can help promote integrated thinking in the businesses they serve.

“We need to argue that the company has to put in place a methodological approach to manage these areas, not just as a collection of individual problems, but as something more integrated and interconnected,” de Girolamo says. That involves a recognition of the importance of the organization’s social role and impact, and a proactive way of seeking out effective solutions that are good for both the company and its stakeholders.

Internal audit is positioned to achieve this objective — what he calls integrated thinking — because it can take a helicopter view of the entire organization that could help it move from dealing with its social reporting in an ad hoc manner to something more holistic. But he also admits that not all CAEs will be in a position to jump to this higher level of operation immediately.

“Internal audit’s role depends very much on the maturity level of the company in nonfinancial reporting,” he says. Internal auditors can perform an advisory role or an assurance role — or something in the middle. That can entail supporting management in understanding which kinds of reporting systems are going to be most effective, helping it improve those systems, or providing assurance when they are well-established.

Rise to the Competency Challenge

The role is not without its challenges. The most important of these is filling the competency gaps within internal audit, itself, according to Mentes Albayrak, audit coordinator at the Turkish conglomerate Anadolu Group and IIA–Turkey vice chairman.

He says auditors have two kinds of competency: process and content competencies. “Internal auditors have the right process competencies for effective nonfinancial reporting, such as the ability to communicate with stakeholders, extensive knowledge of how to perform an assurance engagement, and knowing the International Standards for the Professional Practice of Internal Auditing,” he says.

But there are differences in the way internal auditors need to apply these competencies when it comes to nonfinancial data. While auditors have the information and knowledge about how to decide on materiality when it comes to financial controls, for example, the issue of materiality for nonfinancial controls also entails reaching out to stakeholders.

“Internal auditors need to understand what information is relevant to the business’ key stakeholders, and understand what is significant to them and how much it matters,” Albayrak says. “Unlike deciding materiality on financial controls, this involves exercising a much greater degree of professional judgment.”

Decisions on materiality over nonfinancial reporting issues should be systematic, transparent, and accountable. “That means when management or stakeholders ask about your methods or systems of determining materiality, you have a system in place and can give a comprehensive answer to that question,” he says.

That requires a more outward-looking approach — one that entails internal auditors reaching out to their stakeholders and engaging in communication. For auditors who have been focused largely on financial controls, that could be a big shift in emphasis. Nonfinancial reporting requires auditors to understand the finer points of communication. When it comes to working on issues such as culture, auditors are asking people to share their opinions and feelings — rather than merely collating facts and figures, says Tea Enting-Beijering, one of several CAEs within the Netherlands’ Central Governmental Audit Services directorate within the Ministry of Finance.

“When we started our nonfinancial auditing project, we selected auditors who already had strong communication skills, and we invested in more education for them,” says Enting-Beijering, who is CAE for the Ministry of Infrastructure and Environment. She selected a handful of people out of the 600 auditors on the team. Her objective was to look at the organization’s culture because the standard financial audits could not pick up on how changes to its working practices were impacting the business.

Developing good listening skills and creating an atmosphere with the right level of intimacy and trust was key. “If there is not enough trust, it is difficult to get people to share their opinions and feelings,” she says. Communicating the audit findings with those involved also needed to be handled with sensitivity because people need to feel they have been listened to and their concerns have been taken seriously.

She says the audits have given managers a much clearer picture of how their work fits into and impacts the wider ministry. It also has helped the audit team provide advice on how processes can be improved and how things can be done better. “The most important thing is that we are now having conversations in the organization that are very good and are leading to real change,” she says.

While communication is key, Albayrak says, the biggest challenge in filling internal audit’s competency gap is in what he calls content competency. “In nonfinancial reporting, you’ll have environmental issues, ethical issues, noneconomic issues, and sometimes macro-economic issues that form the content of the report you are working on,” he says. “It isn’t possible for an internal auditor to know everything. We need to establish the information on which to provide assurance, but we can’t have competency on the content of all areas.”

Albayrak’s solution is similar to de Girolamo’s: Provide integrated assurance, or combined assurance, by creating a multidisciplinary team of experts from across the organization and beyond. If no party has the full spectrum of competencies required to provide assurance on nonfinancial reporting, then the various parties involved in this assurance process should be coordinated effectively.

“Internal auditors are best positioned to provide that coordination,” he says. “We have the process competencies, we have the general outline of what content competencies are needed, and we have a general knowledge from the work in our own organizations about what environmental, human resources, social, and ethical issues the business faces.”

That gives internal audit the ability to form an effective, multidisciplinary team, coordinate that team, and get the input needed from management, or external consultants, to ensure all of the relevant technical content goes into the process. A 2015 paper, Combined Assurance: One Language, One Voice, One View, written by Sam Huibers and published by the Internal Audit Foundation’s Global Internal Audit Common Body of Knowledge (CBOK) research project, outlines how this approach can bring disparate parties together to provide a single statement on assurance that unites their perspectives. But while two out of three European organizations taking part in the 2015 CBOK practitioner survey said they were aware of this approach, just over half (53 percent) of North American respondents said they were — below the 59 percent global average.

Create a Consistent Approach

The headline figures emerging from the CBOK study may be more a matter of semantics. Just as some U.S. internal auditors are engaging in many of the areas that in Europe go under the heading of nonfinancial reporting, so does The Committee of Sponsoring Organizations of the Treadway Commission’s (COSO’s) 2013 Internal Control–Integrated Framework provide support for those working in this area, says COSO Chairman Robert Hirth. Every U.S. stock exchange-listed company uses the framework to comply with Section 404 of the Sarbanes-Oxley Act of 2002, covering internal control over external financial reporting. “But all forms of reporting are a specific control objective area in the COSO framework,” Hirth says, “and that reporting is defined as being internal, external, financial, and nonfinancial reporting.”

The aim is to create a consistent approach and common language for evaluating all forms of internal control and all forms of reporting, he says. That requires CAEs who are implementing nonfinancial reporting to start at the top. “Get management and, as needed, board and audit committee buy-in and agreement that validating this nonfinancial reporting is valuable, desired, and makes sense against other priorities and resource constraints — some companies have a lot of resources, others have very little,” he advises.

Next, identify the most critical, important nonfinancial reporting that should be validated and audited. “This means that there will likely end up being lots of nonfinancial reporting that doesn’t make the cut — at least for now,” Hirth says. “Determine which internal and external information falls into scope.” For example, internal reporting on diversity or employee evaluations may be important and external reporting on sustainability or corporate social responsibility may also be just as important. CAEs need to include all of those critical areas in their plan.

Finally, he says, internal audit needs to involve and engage the first line of defense processes and people who produce the reporting information. “Also, look at how you can leverage information systems to generate the information with a higher level of accuracy and integrity, and try to eliminate the manual production of this information,” he advises.

Conquer the Big Stuff

There are likely to be a few sticking points to audit involvement in nonfinancial reporting, particularly defensiveness among those people preparing the reports, as they may never have had their work challenged or audited in the past. “Deal with this professionally, but don’t back down if the information is truly important,” Hirth says. In addition, there may be a lack of controls related to the reporting involved, and internal audit’s main role in that case is to identify the important gaps. “There’s a danger of doing work on information that doesn’t really matter,” he says. “Don’t chase the little stuff. Chase and conquer the big stuff.”

The need to boost their skills, competencies, and even head count in this area is a huge challenge ahead for the profession. In addition to creating audit departments that are more risk-based, forward-looking, and willing to reach out to stakeholders, they also will have to work more collaboratively than ever to succeed.
Worried? De Girolamo isn’t. He thinks nonfinancial reporting will be the next catalyst to grow both the stature and size of the internal audit profession. “It’s a big challenge for sure, but one internal audit is more than ready to meet,” he says.

Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to remove comments.



Comment on this article

comments powered by Disqus
  • IIA GRC_July 2020_Premium 1
  • AuditBoard_July 2020_Premium 2
  • IDEA_July 2020_Premium 3