Talk:AA1000 Assurance Standard 2008
From AccountAbility AA1000 Wiki
Comments on the AA1000AS (2008) -- AA Technical Committee 11:33, 17 July 2008 (UTC)
Please post your comments on the AA1000AS (2008) here
Suggested amendment to Type 1 and Type 2 assurance -- Andrew Britton from Ernst & Young LLP 08:59, 15 August 2008 (UTC)
The introduction of two types of assurance to AA1000AS as a means of increasing the accessibility/affordability of AA1000 assurance to a wider range of reporting organisations is a good idea; however the description of these two types in the current consultation draft needs further development. Currently, it is not clear what the difference is between Type 1 and Type 2, as it is unlikely to be possible for an assurance provider to provide a conclusion against the principle of completeness without reviewing an organisation's performance information.
The following approach is suggested:
Type 1 - Evaluation of adherence to the principles of inclusivity and materiality only. This would allow reporting organisations to take a first step on AA1000AS by seeking assurance that the organisation was engaging its stakeholders and had a process in place to ensure it was reporting on the right (material) issues, but would not seek to verify the completeness of all the reported information. Specified performance information could also be reviewed, and assurance provided on the completeness and accuracy (or other criteria) of this performance information. This would increase the attractiveness of AA1000AS to organisations who may not feel ready for full AA1000AS assurance, or may not be able to justify the cost of full assurance across all areas (eg, a company where CR issues are relatively low risk to the company due to the nature of its actitivies). Different levels of assurance could also be applied to specific elements of the report (eg, specific performance information). An example of Type 1 assurance could be a report where assurance is provided over the environmental and health & safety sections of the report, together with conclusions on inclusivity and materiality. The report could also have a reasonable (high) level of assurance over, for example, the health & safety section, and limited assurance over the rest, and still be a Type 1 engagement.
Type 2 - Evaluation of against all four principles (ie, 'conventional' AA1000 assurance). Different levels of assurance - ie limited (moderate) and reasonable (high) - could be applied to specific elements or all of the report.
Comment on Suggested amendment to Type 1 and Type 2 assurance -- David York 14:47, 19 August 2008 (UTC)
The suggestion that Currently, it is not clear what the difference is between Type 1 and Type 2, as it is unlikely to be possible for an assurance provider to provide a conclusion against the principle of completeness without reviewing an organisation's performance information. is interesting. I agree that the assurance provider would have regard to the organisation's performance information but the absence of an explicit opinion on it (eg verification) is a key difference. Nevertheless, the definitions/explanations should be examined for possible improvements.
The suggestion that the Types change to allow evaluation of adherence to the principles of inclusivity and materiality only (Type 1) is radical. I am not convinced that 'Inclusivity' can be evaluated without reference to completeness and responsiveness - but it depends on the precise wording. This comes down to usefulness of the engagements, however, so comments from users woiuld be helpful here.
Re: Suggested amendment to Type 1 and Type 2 assurance -- David York 14:47, 19 August 2008 (UTC)
Type 1 Evaluation -- StewyM 12:26, 3 September 2008 (UTC)
Whilst I have no concerns about how Type 1 and Type 2 assurance have been defined -
I have a concern about attaching a statement to a report whereby the statement scope only covers a part of the scope of the report.
Is there a danger that the statement will in reality apply credibility to all of the information in the report. You would be relying on the fact that interested parties read the statement and not just see that an assurance process has been carried out and leave it at that.
Very great care will need to be applied in writing the statement to ensure it is clear what Type 1 assurance refers to and that only Type 1 assurance has been applied.
best regards Stewart Manegold
Glossary -- StewyM 12:30, 3 September 2008 (UTC)
A definition of assurrance engagement risk would be useful, I am not sure all readers will understand this term
5.7 Engagement Acceptance -- StewyM 12:37, 3 September 2008 (UTC)
In 5.7.2 second paragraph you allow for challenge to the competencies of the assuror. On the basis of promoting transparency would it also not be a good idea in section 5.7.1 to allow for challenge to independence as well.
Once an engagement has been accepted, should this engagement be publically published by the assuror or reporter to allow stakeholders to challenge the independence of the assurror
Stewart Manegold
5.10.1 Assurance Statement -- StewyM 12:51, 3 September 2008 (UTC)
The requirements of the assurance statement shall include various information as a minimum including:
intended audience - if the intended audience is not the stakeholders should it not be required that this is justified, the point of the reports is to put the reporters point of view to stakeholders other wise why would they publish publically. Therefore the assurance statement is on behalf of the stakeholders not the reporter and should be addressed accordingly?
Description of methodolgy, this is only really useful if it it includes sample sizes etc so the reader can assess to what depth the methodolgy reached. more guidance in this area would be useful as bland statements stating that interviews were carried out with staff, or that systems were reviewed does not really tell the stakeholder anything of use whereby risk can be assessed.
recommendations, this neads to be split into sections. This years recommendations and how the previous years recommendations were addressed. The guidance section does state this, but making it clear in the standard this is required will ensure these two areas are covered and not 'fudged' accross.
Stewart Manegold
Comments from Rebecca Bowens, SGS -- Dwaistell 13:32, 11 September 2008 (UTC)
· The new standard is much better structured and should enable users to implement procedures/processes in order to follow the requirements
· The two types of assurance will allow for different types of assurance provider, but will there be a requirement to state which type of assurance has been used, for example in a description of the scope of work in the Assurance Statement, or will it just be indicated by the content of the conclusions? If the latter, then stakeholders may not be sufficiently aware of the different types of assurance potentially being undertaken.
· I note the link with ISAE3000 allowing a higher and moderate level of assurance. However each Assurance Provider will determine their approach at either level, so what one Assurance Provider might consider a high level of assurance, another might only consider a moderate level. I’m not sure that there is a way to overcome this though.
· In the guidance document for Assurance Providers there does not seem to be much reference to assurance of reported information, so the Reporting Organisation may well have implemented procedures to identify material issues and for completeness in identifying and understanding material issues, and have responded to them. However there seems to be a missing element here, surely there needs to be some reference to them having to disclose or report on these issues, or else explain why they have omitted them. I note that you have linked the Quality of Information criteria to those in GRI, but a similar link for the AA1000 principles with the GRI Reporting Principles which define Content (Materiality, Stakeholder Inclusiveness, Sustainability Context and Completeness) could also be made.
re type 1 and 2 assurance -- Susantodd 22:02, 11 September 2008 (UTC)
Is there a risk of creating confusion among readers with two types of assurance when there are also two levels of assurance (and three levels of GRI reporting that can be assured)? Assuring whether the principles are meaningfully applied may not be the simple entry level function that is intended - it may require a deep look into management systems and processes (at least at the high level of assurance) and may be more akin to certification (when an ISO std on CR is in the offing). i imagine that most of the demand for assurance services will come from GRI reporters. they may want only their report assured and unless the report makes assertions about their application of the AA1000 principles it seems unduly limiting to require assurance of the application of the principles as a starting point.
