The Right Report

How to achieve genuine verification of corporate sustainability performance.

By Gwendolen B. White

Character is like a tree, and reputation like its shadow. The shadow is what we think of it; the tree is the real thing.
—Abraham Lincoln

If reputation is only perception, why does it matter for a company? If a company is doing well financially, is that enough? In recent years, the answer has been no. How did this come to be?

During the last 30 years, several things have influenced the way companies focus on their reputations. Large corporations such as McDonald’s, Apple, and Walmart have become recognizable all over the world, and globalization has brought greater scrutiny to all aspects of their products. News of unsafe products, poor working conditions, or environmental pollution can tarnish a company’s reputation. What’s more, bad news is traveling faster and faster; communication through the Internet and cellphones has connected stakeholders with unprecedented speed. Meanwhile, stakeholders are demanding increased accountability.

Stakeholder demands for transparency from management have spawned third-party ratings and rankings that are based on information about corporate governance, environmental performance, and social impacts. For example, the Dow Jones Sustainability Index (DJSI) and the Carbon Disclosure Project (CDP) are two that rate and rank firms based on such information (as, of course, does CR Magazine). Investors and analysts are using this information as proxies for companies’ long-term risks. As the demand for sustainability information goes up, companies are responding by providing more and monitoring their reputations on many fronts.

With companies expending all this effort to manage their reputations, how do American citizens perceive corporate America? According to the Harris Poll 2012 Reputation Quotient, only 2 percent of Americans rated the reputation of corporate America as “very good.” A closer look at the survey results reveals a high level of mistrust. While the overall net positive rating was 22 percent, the overall net negative rating was 53 percent, with 15 percent of the negative selecting “very bad.” These ratings have worsened since the previous survey in 2010. The recent subprime mortgage industry collapse and investment banking failures have undoubtedly contributed to this low estimation.

Reputation Fragile: Handle With Care
It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you’ll do things differently.
—Warren Buffet

For many companies, corporate social responsibility (CR) reporting is seen as an approach to doing “things differently.” What is CR reporting? The many names—such as triple bottom-line (economic, environmental, and social), environmental, social and governance (ESG), corporate citizenship, and sustainability—reflect the lack of standardization in this area. As a result, companies have created reports that communicate to a wide variety of internal and external stakeholders (employees, consumers, regulators, investors) how they are managing their business as it pertains to economic, environmental, and social impacts. For example, on the social front, many companies in the apparel industry have faced human rights and child labor risks. For many, CR reporting is an opportunity to address these risks actively, rather than reactively. In this vein, the company can take the necessary actions to mitigate these risks and communicate to internal and external stakeholders what they are doing. These reports can make hiring easier by attracting talented employees who are interested in working for a well-run company.

They also can help internal and external users make more informed decisions; otherwise, companies would be wasting time and money.

In a study of reporting trends, CorporateRegister.Com, a directory for sustainability reports, found that CR reporting has been increasing steadily for the past 10 years, with at least 1,000 new reporters each year. In the United States, this trend has started to increase rapidly in the last three years. Through CR reports, companies are communicating their approaches to sustainability-related activities and accomplishments on targets for improvement. This can mean better management of resources (physical and human), reduced costs, increased compliance, and enhanced reputation. These reports are seen as augmenting the financial statements because reducing and controlling a company’s environmental and social impacts is connected ultimately to financial results. Although report format and content varies across companies, they often disclose their corporate governance policies along with their economic, environmental, and social impacts.

If CR reports are not mandatory in the United States, why are more companies motivated to report? In the best light, increases in the incidence of reporting indicate that they are responding genuinely to stakeholder demands regarding environmental, economic, and social impacts. The reports are intended to provide useful information about their long-term approach geared to improving risk management and internal decision-making. In the worst light, CR reporting is just “greenwash” that promotes only positive actions while downplaying or covering up negative ones. When “greenwashing” that covers up negative actions is exposed, it generates public cynicism and distrust of companies engaging in this behavior. Unfortunately, it might also adversely affect public perception of companies that are making sincere efforts to be transparent and to improve their operations. It can be difficult to tell which reports are “greenwash” and which are not.

The Reporting Landscape
How do companies gain public trust with CR reporting? If companies are going to publish sustainability performance indicators, then the information needs to be credible. Third-party assurance of these reports is one approach to gaining credibility. Accounting firms, specialist consultancies, certification bodies, nongovernmental organizations (NGO), stakeholder groups, and academics perform third-party evaluations. Accounting firms, specialist consultancies, and certification bodies provide the vast majority of sustainability related services and third-party assurance. Large accounting firms such as Deloitte, Ernst & Young, KPMG, Moss Adams, and PriceWaterhouseCoopers have divisions dedicated to sustainability and climate change services, which includes advisory (e.g., sustainability strategy, implementation), tax (e.g. U.S. renewable energy tax credits), and assurance (e.g., examinations, reviews, agreed-upon-procedures). Specialist consultancies provide advisory (e.g., report processes, supply chain, and human rights policies) and assurance services for CR reports. Certification bodies are typically involved with the certification of specific systems (e.g. ISO 9000 or 14001), projects, and measurements (e.g., greenhouse gas emissions) rather than the assurance of a complete CR report.

Audits of financial statements demonstrate how companies establish a level of trust with users who depend on financial information to make decisions. The legal requirement for public companies to have audited financial statements goes back to legislation passed in the 1930s after the stock market crash of 1929. Before that time, financial reports—if published at all—were not reliable. When financial securities were traded on false or nonexistent information, there were dire consequences for the U.S. stock market and eventually the world economy. The U.S. Securities and Exchange Commission (SEC) requires publicly held companies to have their annual financial statements audited by independent certified public accountants (CPA). As part of its Code of Professional Conduct, the American Institute of Certified Public Accountants (AICPA) stipulates that when independence is required, the member must be “independent both in fact and appearance.” For CPAs, the issue of public trust is at the heart of their profession. For nearly 100 years, the accounting profession has been performing financial statement audits with the trust of the investing public in mind. This is evident in its establishment of standardized auditing standards that binds CPAs’ work.

Although U.S. regulators do not govern sustainability reporting and assurance services, globally recognized standards do exist.

For reporting, the Global Reporting Initiative (GRI) framework is the most commonly used framework, with more than 80 percent of the world’s largest 250 companies (G250) using it to report on sustainability. It is principles based and includes standard disclosures on management approaches to sustainability and the organization’s environmental, economic, and social impacts. Assurance standards include the AccountAbility AA1000 Assurance Standard (AA1000AS, 2008), the International Auditing and Assurance Standards Board (IAASB) International Standards on Assurance Engagements (ISAE) 3000, and the AICPA Attestation Standards (AT 101, AT201, and AT601).

Standards Bearers
The AA1000AS (2008) standard addresses the requirements for performing sustainability assurance with a focus on the organization’s responsiveness and future performance. Non-accounting firms tend to follow this standard. It was developed by AccountAbility, an international think tank and consulting firm specializing in advisory services. The standard emphasizes the significant interests of the stakeholders by finding omissions or misrepresentations in the report as a whole that could affect the behavior of intended users of the report. Using this standard, the assurance provider gives assurance on the extent and type of adherence to the three AA1000 AccountAbility Principles Standards (AA1000APS) 2008.  These principles are the Foundation Principle of Inclusivity, the Principle of Materiality, and the Principle of Responsiveness. Inclusivity addresses the issue of including stakeholders in developing a strategy for sustainable development, while materiality covers determining the important issues for an organization and its stakeholders. Responsiveness involves how the organization responds to the important issues that pertain to sustainability performance.

The ISAE 3000 standard provides principles and procedures for accounting professionals performing all assurance engagements other than historical financial information audits or reviews, which are covered by the International Standard on Auditing (ISA) and International Standard on Review Engagements (ISRE). The IAASB, an independent standard-setting body that operates under the auspices of the International Federation of Accountants (IFAC), issued ISAE 3000. It specifies an approach and procedures to be followed to be in compliance with professional assurance standards and codes of conduct. The ISAE 3000 standard states that assurance engagements can be conducted for (a) environmental, social, and sustainability reports; (b) information systems, internal control, and corporate
governance processes; and (c) compliance with grant conditions, contracts, and regulations. ISAE 3000 provides guidance on evaluating ethical requirements, maintaining quality control, accepting and planning engagements, acquiring work of an expert, obtaining evidence, documenting the engagement, and preparing the assurance report. Effective on or after September 30, 2013, ISAE 3410 has been issued to cover assurance on greenhouse gas statements.

The Attest Engagements AT Section 101 (AT 101) standard, developed by the AICPA and used by CPAs in the U.S., binds CPAs when they are conducting assurance services other than the audit and review of financial statements. Assurance services such as examinations and reviews for CR reporting come under this category for CPAs. Examinations are considered a high level of assurance because they involve search and verification procedures, such as observations, inspections, and confirmations. The resulting assurance report states whether or not the information is fairly presented, in all material aspects, based on the criteria identified. The examination report basically states whether the company has applied the reporting criteria appropriately. For example, if the company used the GRI sustainability reporting framework, the CPA’s report says whether or not they followed the GRI framework in presenting the information.

Reviews of CR reports represent a moderate level of assurance because the procedures are limited to inquiries of key company personnel and analytical procedures (e.g., comparisons of data to prior periods, forecasts, expected relationships). Reviews are not considered opinions on the fair presentation, and the wording in the report demonstrates this. Review assurance reports state whether nothing came to the attention of the auditors that would make them believe that the information is not fairly presented, in all material aspects, in conformity with the criteria.

The AT 101 standard stipulates general standards, standards of fieldwork, and standards of reporting for when accountants are engaged to do examinations and review. The general standards address what constitutes adequate training and proficiency, knowledge of the subject matter, independence, and due professional care. Standards of fieldwork include how to plan and supervise these engagements along with how to obtain sufficient evidence to issue a conclusion. Reporting standards cover the content of the assurance report. These include stating the subject matter or the assertion being reported on, a statement about the character of the engagement in the report, and the CPA’s conclusion about the subject matter in relation to the criteria against which it was evaluated. The CPA is obligated to state all significant reservations about the engagement, the subject matter, and, if applicable, the assertion in the report. If the report is restricted to certain users, the standard specifies what special wording is needed to convey the restrictions.

Reviewer Reviewing
CPAs can be hired for other than examinations and reviews, such as attestation to agreed-upon procedures and compliance. The AT201 standard covers agreed-upon procedures, which is when a CPA is engaged by a client to issue a report of findings based on specific procedures performed on subject matter. An example is the confirmation of specific information with third parties. AT601 provides guidance for a client’s compliance with specified laws, regulations, rules, contracts, or grants or the effectiveness of a client’s internal control over compliance with specified requirements. An attest engagement conducted in accordance with AT201 and AT601 must comply with the general, fieldwork, and reporting standards in AT101.

The AICPA Auditing Standards Board is considering developing guidance for review-level engagements that addresses greenhouse gas statements. Another area being considered by the AICPA Assurance Services Executive Committee is the development of assurance and/or advisory guidance to help members address an emergence of sustainability reporting and assurance requirements stemming from supply chain vendor code of conduct requirements and other certification requirements. Big retail organizations are fueling demand for these services by requiring their current and prospective suppliers to provide reporting and third party assurance on their environmental, social, and corporate governance practices.

Recent studies of U.S. companies issuing CR reports show that many do not have assurance. This might be due to the maturity of reporting in America. CR reporting has begun to increase only in recent years. Many companies are still in the early stages of reporting and might feel that the state of their supporting records and information systems is inadequate for assurance. As companies refine their information systems and reports and stakeholders demand more information, they will see the need for assurance. As more people use CR information to make decisions, the economic implications of using this information are increasing. Credibility of the information becomes crucial as the information is publicly presented.

Reporting’s Returns
If assurance is an investment in establishing credibility for CR reports, what is the return on investment (ROI)? The answer depends on what a company hopes to gain from the process of reporting and assurance. A quantifiable ROI might not be calculable because many of the benefits are qualitative and have long-term impacts. Risk mitigation is one example. If the CR report process enables companies to focus on being active in mitigating economic, environmental, and social risks, companies can be more resilient when responding to crises. For example, without a dedicated approach to tracking and eliminating slave labor in their factories or supply chain, companies can be caught unable to respond in an appropriate and timely fashion to the discovery of such instances. Being less able to respond to the problem means being less in control of the narrative of events. Another benefit is that CR reports and assurance can be a product differentiator. The Carbon Disclosure Project (CDP) ratings of companies is using the assurance of greenhouse gas emissions. If assurance on these reports provides differentiation between companies, credible information has tremendous value.

Why might assurance reports from non-accounting firms seem more informative than those produced by accounting firms? Accounting firms are bound by professional standards that cover report content and are consistent across similar engagements. The assurance report form and content are based on those standards similar to those for financial statement engagements. There are three standard paragraphs, which include an introduction, the scope of work, and a conclusion. In both financial statement audits and nonfinancial attestation engagements, accounting firms provide detailed recommendations for improving processes and operations in a “management letter,” which is not made public. These letters are viewed as internal management tools that are not necessarily useful to external users because of the level of detail about internal controls, processes, etc. Non-accounting assurance firms are not bound by specific standards that guide their work and report content. Their report forms can vary depending on the requests of their clients.

How should a company choose its assurance provider? Company officials should decide what they want the CR report and assurance to provide. It should not be viewed as a commodity, because one size does not fit all companies. Companies need to discuss their needs with various providers and assess what is appropriate for their sustainability journey. CR reporting and assurance is evolving as the demand for report content and format are changing. Many CR reports are freestanding, but the trend is toward integrated reporting, which has sparked the interest of many preparers and users. In October 2011, the International Integrated Reporting Council (IIRC) formed to create “a new approach to corporate reporting that demonstrates the linkages between an organization’s strategy, governance, and financial performance and the social, environmental, and economic context within which it operates.”

The goal is to have one central report that is equivalent to a financial report. Many contributors, such as companies, regulators, accountants, investors, academics, and various stakeholder groups, are developing an integrated framework. A pilot program with 80 companies is underway to develop principles, content, and practical application of the International Integrated Reporting Framework. In mid-2013, a draft is scheduled for publication. If accepted globally, this new approach will have profound effects on CR reporting, assurance services, and assurance providers.

How much do reporting and assurance services cost? Pricing for these CR reporting and assurance services depends on what is provided and by whom. Companies need to assess what they want and which provider meets their needs. There are many important questions to ask before deciding which firm is the right one. What are the provider’s methods for delivering assurance? Are their methods rigorous and understandable? Which provider is likely to address their long-term needs? How does the future of reporting fit into their plans?

Can assurance of CR reports counter charges of “greenwash?” For negative actions that are covered up in a CR report, an assurance on the report lessens the likelihood that a misstatement would be missed. If the information in a CR report is geared to promoting only a company’s positive actions, the answer is no. An assurance report would only address the items in the report and not necessarily the items omitted. A globally standardized reporting framework could address this issue.

Achieving sustainability is a multi-faceted task, one that is dynamic and requires deliberate assessment. To get the most out of reporting and assurance, companies need to become educated on the process, the providers, and the outcomes. One way is to look to other firms’ reports and their successes. Another is to solicit information from providers about what they can do for the company. If done with the intention of improving operations, building their brand, mitigating risks, and communicating with stakeholders, companies can benefit from the this close examination of their operations as they plan for the future.

Gwendolen B. White is an associate professor of accounting at the Miller College of Business at Ball State University. Allan Colaco (KPMG), Eric Hespenheide (Deloitte), Eric Israel (PwC), Brendan LeBlanc (Ernst & Young ), Amy Pawlicki (AICPA), and Peter Townsend (CorporateCitizen) shared their insights for this article. White can be reached at

Posted January 4, 2013 in Corporate Governance