Summary

An international insurance company is taking a leading approach by exploring the application of Sarbanes-Oxley style assurance principles to non-financial reporting, with a clear action plan to give directors confidence that the environmental, social and governance (ESG) report contains only robust and meaningful information.

Challenge

In line with company values, ESG factors are important to the company. In wanting to ensure transparency and accuracy of information, the company’s leadership saw a need to proactively respond to imminent increasing scrutiny over non-financial reporting. Various standards relating to ESG and other non-financial reporting are emerging, and stakeholder expectations are growing, including from insurance and stock market regulatory developments.

While processes for producing the company’s annual ESG report and other non-financial reports were in place, management and the board recognised an opportunity to improve the company’s preparedness for future reporting requirements.

Internal audit was, therefore, asked to provide an assurance review and identify opportunities to strengthen and enhance controls for future reporting. Internal audit was challenged by the lack of firm international standards for the reporting of ESG matters. They therefore considered the principles of management assurance by referring to regulation such as Sarbanes-Oxley. 

Solution

The insurer set out to manage non-financial reporting by adopting principles relied upon for financial reporting in a Sarbanes-Oxley environment. Internal audit provided an assurance report to the head of sustainability with confirmation that existing processes were appropriate for current and emerging regulatory expectations and collaborated with management to create an action plan to enhance the company’s controls ahead of new regulatory requirements. Internal audit also provided such assurance to the company’s audit committee for consideration when the ESG annual report was presented to it prior to its release.

The recommended action plan involves:

• clarifying responsibilities for the accuracy, documentation and submission of non-financial reports with a supporting internal control structure;
• producing formal documented control sheets to confirm the data was checked for accuracy, completeness, reliability, relevance and timeliness, and who signed off the control; and
• verification of third-party information, for example for the independent verification of greenhouse gas emission statistics.

Next steps will include formal documentation of the end-to-end process of creating and approving the ESG report for public release.