Talk:AA1000 AS Guidance for Assurance Practitioners
From AccountAbility AA1000 Wiki
-- Dwaistell 11:37, 23 May 2008 (UTC)
This area to initiate discussion around the guidance section. Please post your comments here relating to a particular issues or any other general comments you have.
What are the core issues that make up a sustainability assurance? -- Syedain 13:16, 28 February 2008 (UTC)
The document doesn't highlight the core issues that define whether an organisation meets the standards of corporate sustainability. Is and should the document go into the issues of fair trade, carbon costs etc. Where is the criteria?
Re: What are the core issues that make up a sustainability assurance? -- Adrian Henriques 10:17, 11 March 2008 (UTC)
Should an assurance provider comment on the level of sustainability performance which the organisation has demonstrated?
I believe it should.
levels of assurance -- NetBalanceManagement 00:25, 4 March 2008 (UTC)
Net Balance welcomes the discussion over levels of assurance and believes that it is important to ascertain the most appropriate method of defining these levels within the context of sustainability assurance. Net Balance strongly believes that the AA1000AS should not adopt the same levels of assurance as those used in the ISAE3000 – limited and reasonable. As discussed in the consultation draft, the language used is not appropriate for use in these statements for a number of reasons:
• Readers who are not experts in the field are unlikely to understand the “double negative” language adopted in the limited statements using this method – for example - “nothing has come to our attention that would lead us to conclude that information is materially misstated”. This can be expressed in simpler language than this, using the terminology often seen in AA1000AS statements, which often provide detailed areas of weaknesses and recommendations for improvement, rather than ISAE 3000 statements. The two types of statement essentially communicate the same outcomes, but one is much easier to understand than the other for non-expert readers. • Grouping assurance engagements together into these two levels is very limiting. As this terminology is traditionally used for the more data orientated assurance engagements (checking that the data is credible and accurate), it does not allow for the wide breadth of activities that are undergone in AA1000AS engagements – stakeholder engagement, testing of materiality of issues, peer reviews, assessing responsiveness to stakeholder concerns etc.
That said, Net Balance does agree that some classification of assurance levels needs to be introduced into the AA1000AS as simply disclosing transparently the methodology used is not longer sufficient – there needs to be some way of defining a certain technique.
Net Balance therefore suggests that: 1) The terms “limited” and “reasonable” levels of assurance are removed from the AA1000AS entirely; and 2) Instead, a clearer classification system is introduced which is easy to understand and use, and takes into account the wider breadth of activities undertaken in today’s assurance engagements. The simplest division in this sense would be to define the levels as:
o Data verification – assurance that concentrates primarily on carrying out checks on quantitative data relating to an organisation’s environmental, social and economic performance and assessing the accuracy and credibility of this data. This level of assurance could carry a statement to the effect that “we conclude that the data presented herein relating to (provide areas of data verified) is materially not misstated. o Data and qualitative disclosure verification - this takes into account both the assessment of the accuracy of quantitative data but also the accuracy of the qualitative, issues based commentary. This level of assurance could carry a statement to the effect that “we conclude that the data and statements presented herein is materially not misstated”. o Report assurance - this takes into account assessment of the accuracy of quantitative data, and the accuracy, materiality and relevance of the qualitative (issues based) commentary, as well as the completeness of issues presented, and the responsiveness of the organisation.
This level of assurance could carry a statement to the effect that “Overall, the assurance provider is satisfied that the report is an appropriate representation of the organisation’s sustainability performance during the reporting period”. These three levels of assurance are able to take into account the materiality, completeness and responsiveness principles as outlined in the AA1000AS, but only the third level would offer a more in-depth, stakeholder inclusive analysis of a report’s contents.
These three levels could be further split into “bands” of assurance (much like the GRI A, A+ system) to give readers a more comprehensive understanding of what the assurance engagement involved.
Re: levels of assurance -- Australia Melbourne Consultation Recommendations 11:26, 18 March 2008 (UTC)
Do not refer to levels. There should be no comment on levels but specific guidance on defining scope in the statement in terms of depth and breadth of coverage
Re: levels of assurance -- Banarra 22:12, 3 April 2008 (UTC)
We support this recommendation.
To name levels raises enormous questions about standardisation of methodology. Without specific standardisation as ISAE3000 provides it is not possible to articulate levels. Banarra believes that articulating levels will curtail innovation in methodology for sustainability assurance.
Re: Re: levels of assurance -- Dwaistell 13:40, 11 April 2008 (UTC)
COMMENT FROM ERNST & YOUNG LLP (moved to discussions by Admin)
Under ISAE3000, the level of assurance obtained relates to the extent of the evidence gathering procedures. ‘Limited’ assurance under ISAE3000 does not necessarily mean the information is inherently of a lower quality than that subject to ‘reasonable’ assurance, rather it means that it has not been subject to as extensive testing.
In addition, the application of the approach set out in the draft Guidance requires subjective judgements by Assurance Practitioners(eg, on the “quality of evidence”) that are likely to have an adverse affect on the comparability between companies, assurance Practitioners, and performance over time.
Despite AccountAbility’s stated aim of compatability between AA1000 and ISAE3000, there appear to be fundamental differences in the approach to levels of assurance in the two standards. Applying both standards could result in referring to different levels of assurance within the same statement and cause confusion for report users.
Re: Re: Re: levels of assurance -- Dwaistell 13:41, 11 April 2008 (UTC)
COMMENT FROM ERNST & YOUNG LLP (moved to discussions by Admin)
In our experience a high level of assurance (eg, ‘reasonable’ assurance under ISAE3000) requires extensive evidence gathering and testing procedures and can take up considerable time and resources. Therefore serious consideration needs to be given to the necessity and benefits of seeking such a level of assurance.
In many cases, the highest level of assurance is not necessary to enable report users to make an informed judgement on the performance of an organisation. In many cases obtaining such assurance may be impractical, very time consuming and does not represent best value. For example, to evaluate year-on-year changes in performance of certain aggregated organisation-wide environmental data (such as oxides of nitrogen) may not require the highest level of assurance under ISAE3000. In such cases ‘limited’ assurance under ISAE3000 may provide adequate assurance.
There is a risk that reference to the highest level assurance could encourage additional assurance work that may not improve the Report or assist the Report user.
The Standard should acknowledge that it is not always appropriate to obtain the highest level of assurance or beneficial to the report users. If desired, AccountAbility could encourage the reporting organisation to explain in the Report why specific levels of assurance have been sought.
=Re: Re: Re: Re: levels of assurance -- Dwaistell 13:43, 11 April 2008 (UTC)=
COMMENT FROM ERNST & YOUNG LLP (moved to discussions by Admin)
Has AccountAbility reached a conclusion, or is the intention to state in the Standard that this matter is still under debate?
Form of assurance statement -- Adrian Henriques 10:15, 11 March 2008 (UTC)
Does the assurance statemnet have to follow the headings implied in the standard?
Provided it covers the same material, is it OK to write it under a completely different set of headings?
Re: Form of assurance statement -- Korea Consultation Recommendations 11:08, 18 March 2008 (UTC)
We need criteria for what needs to be included in an assurance statement - be more precise and detailed - include an example of a good statement
Re: Re: Form of assurance statement -- Australia - Sydney Consultation Recommendations 11:17, 18 March 2008 (UTC)
Standardize assurance statements under the AA1000AS through provision of guidance on what should be included
Clarify the scope -- Australia Melbourne Consultation Recommendations 11:33, 18 March 2008 (UTC)
There is a need to clarify the scope of the AA1000AS application. You need to be transparent about restraints of scope. Also there is a need to clarify the relationship between scope and duty of care and boundary
Re: Clarify the scope -- India Consultation Recommendations 11:50, 18 March 2008 (UTC)
The standard should provide a minimum scope, this should include the determination of material issues
Re: Re: Clarify the scope -- UK London Consultation Recommendations 11:57, 18 March 2008 (UTC)
Assurance can be limited to scope related to specific subject matter areas (e.g. environment, human rights) but scope must then begin by assessing material issues within that subject matter area. The reasons for any exclusions for scope must be made transparent though.
Duty of Care -- UK London Consultation Recommendations 11:59, 18 March 2008 (UTC)
Stating that there is a duty of care to all stakeholders goes against the grain of current practice and has a legal connotation
Tests -- Banarra 22:20, 3 April 2008 (UTC)
The inclusion of the tests sections within each requirement of the Standard is a significant improvement upon the previous version.
In a practical sense the test questions mean that current assurance methodologies must be reviewed to ensure they can in fact answer each of the testing questions. The extent to which these will be formally responded to in the assurance providers’ communication is an interesting question. Should stakeholders expect that each test question is formally responded to in the public domain or expect that all questions have been examined by the assurance provider?
Role of reporting organising and assurance provider, Comment from E&Y, moved to discussions by Admin -- Dwaistell 13:34, 11 April 2008 (UTC)
COMMENT FROM ERNST & YOUNG LLP
There is a need for this section of the Standard to clearly distinguish between the role of the reporting organisation and the role of the assurance provider.
The Report should provide adequate information to enable the report user to understand the reporting organisation’s sustainability performance. The assurance statement should provide assurance on this information. As an option, the assurance statement can also provide an opinion or comment on aspects of the sustainability performance described in the Report.
The Standard should be clear that it is the responsibility of the reporting organisation to report on its own sustainability performance. It is the role of the Assurance Practitioner to provide assurance on the information contained in this report. The Standard should be explicit that assurance is over the content of the report, not the overall sustainability performance of the reporting organisation.
Defining scope - using information ouside the report, Comment by CSR Network, moved to discussions by Admin -- Dwaistell 13:37, 11 April 2008 (UTC)
COMMENT FROM CSRNETWORK
The standard should clarify whether the assurance provider can consider information outside the report in reaching an opinion. If so the implications of evaluating other materials should be explained.
Audience of assurance statement, Comment by E&Y, moved to discussions by Admin -- Dwaistell 13:38, 11 April 2008 (UTC)
COMMENT FROM ERNST & YOUNG LLP
It is accepted practice to address the Assurance Statement to the management of the reporting organisation. This is to prevent an extension of legal responsibilities to parties beyond those covered by the contractual arrangements for the assurance engagement.
ISAE 3000, AA1000 and Stakeholder-based materiality, Comment from E&Y, moved to discussions by Admin -- Dwaistell 13:45, 11 April 2008 (UTC)
ISAE 3000 provides guidance on the approach and procedures that enable an assurance engagement to be undertaken in a systematic and consistent manner and in line with professional auditing standards and codes of conduct. AA1000AS is a principles-based assurance standard that defines the necessary processes required to apply these principles during an assurance engagement. The two standards differ in their approach to the scope of the subject matter. ISAE 3000 requires the Assurance Provider to agree on the scope of the subject matter of the assurance engagement with the reporting organisation at the outset, and to apply considerations of materiality in relation to this predetermined scope. The AA1000AS takes an open-scope approach determined by stakeholder-based materiality. It defines stakeholders as individuals and groups that affect and/or are affected by the organisation and requires that Assurance Providers assess the quality of the organisation’s engagement with these stakeholders and the robustness of its decision-making processes regarding "stakeholder-based" materiality.
---
COMMENT FROM ERNST & YOUNG LLP
This paragraph appears to imply that ISAE 3000 does not allow for assurance conclusions to be formed on the basis on stakeholder-based materiality. This is incorrect; assurance providers can use both ISAE3000 and AA1000 if a suitable methodology is in place that ensures the assurance provider considers the views of the organisation’s stakeholders – we consider this to be an important aspect of assurance on sustainability reports.
Subjectivity and Levels of Assurance, Comment by E&Y LLP, moved to discussions by Admin -- Dwaistell 13:46, 11 April 2008 (UTC)
The AA1000AS defines level of assurance as the level of confidence the assurance provider obtains concerning the reliability of information and the scope of the subject matter, and does not define specific levels of assurance.
---
COMMENT FROM ERNST & YOUNG LLP
As noted above, this last sentence introduces a significant element of subjectivity to the application of the Standard, and is likely to adversely impact the quality of reporting and assurance practices.
---
Performing the engagement - minimum standards, Comment from CSR Network, moved to discussions by Admin -- Dwaistell 13:50, 11 April 2008 (UTC)
COMMENT FROM CSRNETWORK
The Requirement and guidance are the same is this an error? This section should clearly set out minimum practice standards.
Responsibility for setting our intended audience, Comment from E&Y LLP, moved to discussions by Admin -- Dwaistell 13:53, 11 April 2008 (UTC)
COMMENT FROM ERNST & YOUNG LLP
The Standard should make it explicit that it is the responsibility of the reporting organisation to set out, in the Report, the intended users of the Report.
We consider that it is not always practical to include a list of intended users within an assurance statement. Moreover, it is accepted practice to address the Assurance Statement to the management of the reporting organisation. This is to prevent an extension of legal responsibilities to parties beyond those covered by the contractual arrangements for the assurance engagement.
Audience of assurance statement, Comment from CSR Network, moved to discussions by Admin -- Dwaistell 13:55, 11 April 2008 (UTC)
COMMENT FROM CSRNETWORK
We agree the statement is addressed to management for liability purposes. Given the statement is the assurance providers independent opinion it can also be used to inform other stakeholders.
Assurance Provider Competencies in Statement, Comment from E&Y, moved into discussions by Admin -- Dwaistell 13:58, 11 April 2008 (UTC)
COMMENT FROM ERNST & YOUNG LLP
We support disclosure on the competencies, impartiality and independence of the Assurance Practitioner. However, we would be concerned about the potential risks involved in disclosing individual’s names. There may be potential legal liability risks. In extreme cases involving Reports on contentious subject matter, this could result in privacy and even security risks.
If the intention is to disclose individual’s names, it is not clear from the Guidance what purpose this serves. It is also not clear how this would assist the intended users understanding of the Report or Assurance Statement.
We understand that some report ‘watchers’ think that sustainability programmes and reports may be less credible when they are led by certain departments (eg, public relations. However, we consider that it is the role Assurance Practitioner to ensure that the report is balanced and accurate or to say otherwise in the statement. Moreover, typically sustainability programmes involve a wide range of departments (eg, HSE, human resources, external affairs, internal audit, etc) and report content is provided by them for inclusion in the report, with the ‘lead’ department acting in a collation and coordination role. Therefore, we cannot see the benefit to report users by understanding which department leads the reporting efforts.
Description of scope in the assurance statement, comment by E&Y LLP, moved to discussions by Admin -- Dwaistell 13:59, 11 April 2008 (UTC)
COMMENT FROM ERNST & YOUNG LLP
It is the responsibility of the reporting organisation to define its organisational boundaries, the period covered by the Report and the subject matter covered. It is the responsibility of the Assurance Provider to provide assurance on this description. AccountAbility must be careful that the wording of the Standard does not confuse these two roles.
Are conclusions required on quality of information principles? Comment by E&Y LLP, moved to discussions by Admin -- Dwaistell 14:01, 11 April 2008 (UTC)
COMMENT FROM ERNST & YOUNG LLP
AccountAbility should clarify if conclusions are only required on the content principles (Materiality, Completeness and Responsiveness) or whether conclusions are also required on quality of information principles (Reliability, Clarity etc).
Re: Are conclusions required on quality of information principles? Comment by E&Y LLP, moved to discussions by Admin -- Dwaistell 14:03, 11 April 2008 (UTC)
COMMENT FROM CSRNETWORK (moved to discussions by Admin)
Comments around quality of information are currently included under completeness, so we agree that there should be clarity over whether these need to be identified separately.
Differentiating the assurance opinion and report to management, Comment from E&Y LLP, moved to discussions by Admin -- Dwaistell 14:05, 11 April 2008 (UTC)
COMMENT FROM ERNST & YOUNG LLP
AccountAbility should make it absolutely clear that the purpose of the assurance statement is to give assurance over the content of the report, not the performance of the reporting organisation. Of course, it is general good practice to provide management with a more detailed report following the completion of the engagement, and this report will typically discuss the Assurance Provider’s observations and recommendations resulting from the engagement. Much of this information may be confidential, as it relates to observations on the reporting organisation’s management practices rather than the report itself. However, it is important to be clear that additional conclusions or obserations in the management report should not impact upon the assurance opinion provided for the report.
It is for this reason that the Standard should be very clear on the difference between assurance conclusions, and descriptions of methodology, findings, recommendations etc. See edits above.
Assurance oversight - cost implications, Comment from Banarra, moved to discussions by Admin -- Dwaistell 14:19, 11 April 2008 (UTC)
Adequate Assurance oversight to ensure that the organisation is undertaking Assurance to the highest possible standards and is not compromised by commercial interests or inadequate competencies. Oversight of Assurance work is required by one or more mechanisms or processes, such as an Assurance Committee, involving people neither undertaking nor benefiting from the Assurance work in question.
--- Comment by Banarra: This requirement has significant cost implications for a small consultancy providing assurance against AA1000AS. It would also require significant change in other mechanisms such as a panel or individual expert providing assurance against AA1000AS.
Comments from TC discussions -- AA Technical Committee 13:56, 16 April 2008 (UTC)
Requirements related to roles - independence and impartiality. How do we make this more rigorous.
Explain the relationship between reporter, assuror and user - should go in guidance to users.
Can we adequately prove impartiality - how? Or is it a concept too far? Check with academics working in this field.
Revise the text to make independence more rigorous and open a discussion to ask whether impartiality is viable?
Scope - stages of scope (see A, B, C, D comments on main page). Stakeholder panels can be used to give level A assurance but cannot deliver assurance on the accuracy and reliability of the data.
Duty of care - difference of duty of care in principe/idea and the legal implications - acknowledged. Implicit duty of care to stakeholders becomes problematic. p.25 duty of care here is actually due care.
Variation in duty of care legislation around the world - this needs to be taken into account and reflected in the standard. Where local regulations permits - statement should be addressed to readers (defined stakeholders)
Can you state a professional responsibility rather than a legal responsibility - covered by code of ethics?
Levels of assurance
Shift towards having assurance - but how to do it is still a huge issue.
TC decision to take a position on this - this will be open to discuss but it was suggested that a position is needed in order to advance this.
Suggested 2 levels to be used. The names of these are uncertain and to be discussed. Proposed using review and audit. Could create confusion. Question as to whether ISAE3000 has deliberately diregarded these terms - reserved for financial audit. Can we create something new (moderate and high level of credibility/reliability). Is this an area for academic discussion, accounting standards discussion - contact Michael Nugent?
How much work is required at each level? This is a large challenge. Depends on the subject matter and the systems in each place. This needs to be decided?
Draft text of what levels means and what you need to do at each level.
Assurance Statement
People want meaningful information in the statement. There is a demand for comparability.
Mandatory headings. Guidance linked to each heading - examples.
Single sentence to go with each level of assurance
Need to expand conclusions to 'conclusion on application of the principles and quality of information according to the scope.
Potential for issuing a document stating the AA1000 principles - use for management, reporting, assurance. Assurance standard would then go about explaining how to evalutate adherence to the AA principles. This would not replace guidance in the Assurance Standard, as that guidance would be focussed on assurance only. This would give an option to tighten up the principles as well.
Guidance - reliability needs to link back to materiality of information.
Comments from Adrian Henriques -- Dwaistell 15:36, 3 June 2008 (UTC)
It is not very clear how the questions under ‘Report(ing) Disclosures’ and ‘Systems and Processes’ are to be used. The general format is a good idea, but it needs to be tightened up. For example, where a yes/no response is suggested, the questions don’t all have the same direction – in that a ‘yes’ is always good. In general the guidance seems rather repetitive and poorly structured
