ENHANCING INTEGRATED REPORTING€¦ · ronment, internal audit can play several roles depending on the maturity of the reporting processes and on the road map of the organization

ENHANCINGINTEGRATEDREPORTINGINTERNAL AUDIT VALUE PROPOSITION

Fra n ceN e t h e r l a n d s

N o r wa yS p a i n

U K a n d I r e l a n d

© Copyright 2015

Copyright © 2015 by The Institute of Internal Auditors (IIA France, IIA Netherlands, IIA Norway, IIA Spain, IIA UK and Ireland)strictly reserved. No parts of this material may be reproduced in any form without the written permission of The IIA(IIA France, IIA Netherlands, IIA Norway, IIA Spain, IIA UK and Ireland).

ISBN : 978-84-943299-1-3

This publication is released by European institutes of internal auditors (IIA France, IIA Netherlands,IIA Norway, IIA Spain, IIA UK and Ireland) with the valuable contribution of IIA Global and the IIRC.

Task force members:

Etienne Butruille, Director, Governance Risk and Compliance, KPMG

Papiya Chatterjee, Senior Policy Officer, Chartered Institute of Internal Auditors UK & Ireland

José Ignacio Dominguez, CAE of Ezentis

Sergio Gómez-Landero, CIA, CISA, Corporate social responsability, Enel/Endesa S.A

Paul Kaczmar, FIIA, President Chartered Institute of Internal Auditors UK and Ireland, Director of Inter-nal Audit and Risk PageGroup.

Bruno Lechaptois, Deputy Internal Control, Orange

Patrice Lecoeuche, Internal Audit Director, DANONE

Philippe Mocquard, CIA, CEO IIA France (IFACI – Institut Français de l’Audit et du Contrôle Internes)

Eli Moe-Helgesen, Partner, Leader Risk advisory services, PwC

Valérie Moumdjian, VP Internal Audit & Risk Management, SOLVAY

Marie-Hélène Sinnassamy, Senior Vice President Transversal Project Finance, Energy Europe BusinessLine, GDF SUEZ

Michael van der Weide, Audit director, Group Audit ABN AMRO

Coordinators:

Javier Faleato, CIA, CCSA, CRMA (CEO, IIA Spain)

Beatrice Ki-Zerbo, CIA (Director of Research, IIA France)

© Copyright 2015

CON

TEN

TS

Internal audit value proposition

Executive Summary ..................................................................... 1

Frequent questions about Integrated Reporting (). 3

Briefing for board members and senior management........ 7

A guide for internal audit and risk practictioners ..... 12

fundamental concepts and principles ..................... 15

fundamental concepts .......................................................... 15

guiding principles .................................................................... 17

1. Strategy and connectivity ..................................................... 17

2. Significance and accessibility .............................................. 18

3. Soundness and fairness .......................................................... 20

Internal audit roles around the content elements ...... 23

Context and structures for value creation ............................. 23

1. Organizational overview and externalenvironment ....................................................................................... 24

2. Governance .................................................................................... 24

3. Business model ............................................................................ 25

Goals and outcomes monitoring ............................................... 25

1. Strategy and resource allocation ...................................... 26

2. Performance ................................................................................... 26

Dealing with the effects of uncertainty .................................. 28

1. Risks and opportunities .......................................................... 28

2. Outlook .............................................................................................. 29

Appendices .................................................................................. 31

1. Task Force objectives and approach ............................... 31

2. The fan: several roles for internal audit .............. 32

3. Examples of initiatives and internal audit roles 33

Bibliography ................................................................................ 35

ENHANCINGINTEGRATEDREPORTINGINTERNAL AUDIT VALUE PROPOSITION

Briefing for board and senior management

© Copyright 2015

About this paperIntegrated Reporting is a new development withmultiple challenges. A European task force wasinitiated in April 2014 by several institutes1, affi-liates of the Institute of Internal Auditors (the IIA),to clarify why and how internal auditors can helpbuild an efficient integrated reporting processand meet the needs for assurance. The task force recommendations are not man-datory. They are based on the International Pro-fessional Practices Framework (IPPF) of the IIAand a literature review on .

Each section of the Framework, the marketled and principles-based initiative of the Interna-tional Integrated Reporting Council (IIRC), hasbeen reviewed to: highlight the concepts, principles and

content elements recommended by the IIRC; identify potential challenges to and enablers

of the implementation of these recommen-dations;

clarify the underlying governance, risk andcontrol issues;

discuss internal audit’s assurance and advi-sory role;

share good practices. For example, regardingcoordination with other functions.

The briefing gives an overview of thisresearch to those charged with governanceand senior management.

The guide provides actionable recommenda-tions for internal audit and risk practitioners.

1 IIA France (IFACI), IIA Spain (IAI), IIA Netherlands, IIA Norway,IIA UK & Ireland

About the integratedreporting quakeReporting culture has changed significantly inthe last decades. Mandatory or voluntary requi-rements around financial and non-financialreporting (such as European and national regu-lations, stock exchange authorities’ recommen-dations) are increasing. Organizations areproducing different reports to meet externaldemand from providers of financial capital,rating agencies, customers, citizens, etc. Moreo-ver, in a time of resource constraints and inten-sified competition, organizations are looking forsustainable business performance and a closerelationship with their stakeholders.

is a process founded on integrated thinkingthat results in a periodic integrated report.By focusing on achievement of organizationalobjectives over time and related communica-tions, is a critical process in this context, ithelps the company report the overall valuecreation story.

“An integrated report explains how an orga-nization creates value over time. It thereforeaims to provide insight about: The external environment that affects

an organization The “capitals” (resources and the rela-

tionships used and affected by the orga-nization), whether they are financial,manufactured, intellectual, human,social and relationship, and natural

How the organization interacts with theexternal environment and the capitalsto create value over the short, mediumand long term.”

From, The International Framework.The IIRC (2013), p10

EXEC

UTI

VE

SUM

MA

RY

© Copyright 20151

About the role of internalauditWhile it is not internal audit’s responsibility to determinespecifically what must be disclosed or to design the under-lying disclosure processes, it can be a key player in this newinitiative.

The IIA’ code of ethics promotes an ethical culture amonginternal auditors. It helps them support the integrity andtransparency underlying .Internal audit professionals routinely interact closely withkey players that are central to an organization's integratedreporting process. With its organizational independence aswell as a sound understanding of the business and its envi-ronment, internal audit can play several roles dependingon the maturity of the reporting processes and on the roadmap of the organization towards integrated reporting.

“Internal audit is uniquely situated within an organi-zation to provide insight on and support the imple-mentation of integrated reporting. Internal audit: Is familiar with process implementation in the

organization. Can affect consistency of communication of

metrics across business units. Provides assurance to increase the credibility of

metrics in the integrated report. Offers insight on potential risks to the organiza-

tion. Has a “seat at the table” from which it can

influence the adoption of to improve andstrengthen communications with internal andexternal stakeholders.”

From Integrated reporting and the emerging role ofinternal auditing. The IIA (2013b)

2© Copyright 2015

Internal audit’s assurance role can be achievedvia different types of engagements such as: anassurance on the integrated report, a focus ongovernance, risk management and control pro-cesses supporting the main objectives of inte-grated reporting. However, internal audit’sinvolvement is not limited to the assessment ofthe due process of reporting. It should also pro-vide an independant assurance on the reliabilityof the facts and figures included in the report aswell as ascertain the existence of an integratedthinking culture within the organization.

As counsellor, internal audit can also provideadvice and insights, especially when organiza-tions are in the early stages of building their inte-grated reporting/thinking processes. As part ofgood governance, this role can take severalfocuses such as: advocating the value of ,facilitating process design and control duringthe roll out phase, fostering integrated thinking,etc. In addition, the chief audit executive mustdetermine the level of reliance on other internalassurance providers (such as risk management,internal control, information security, qualitymanagement, safety and environment, etc.).Relevant work performed by others should beleveraged.

Internal audit should foster the development ofan integrated reporting approach and be invol-ved from day one. Chief audit executives mustbe proactive in anticipating the demands ofthose charged with governance and sustainingintegrated thinking.

EXECUTIVE SUMMARY

FREQ

UEN

T Q

UES

TIO

NS

ABO

UT

INTE

GRA

TED

REP

ORT

ING

(<IR

>)

© Copyright 2015

Why my organizationshould evolve toward thisnew reporting initiative?Organizations must be aware of and understand the increasingand evolving demands of corporate reporting and be preparedto adapt their internal structure to produce reliable, decision-useful information. With its focus on an organization's valuecreation over the short-, medium-, and long-term, IntegratedReporting () provides a unique opportunity for develop-ment and improvement in the way that information is mana-ged and reported both internally and externally. Properlydesigned and effectively implemented, represents thenext step in the evolution of corporate reporting. Beside itsexternal benefits , when properly designed and effectivelyimplemented, can be a management tool for monitoring theexternal environment and coordinating organizational efforts.

What is integrated reporting?The IIRC released the International Integrated Repor-ting Framework in December 2013. This was a keymilestone in the journey towards greater cohesion andefficiency in reporting processes. The Framework focuses on value creation over timebased on different types of ‘capitals’ not limited tofinancial resources. The ambition goes far beyond thecompilation of existing external reporting. The ulti-mate aim is to highlight the ways the organizationleverages its ‘capitals’ by interconnecting their effects.The process is based on an “integrated thinking” stateof mind across the organization, which means brea-king down internal silos as a way of enhancing theorganization’s overall performance.

By providing the principles and entry points for ,the Framework helps improve the quality of informa-tion available to financial capital providers and otherstakeholders. Internally, it sustains more efficient and productiveallocation of the different capitals as well as sound riskand opportunity management.

For more details : www.theiirc.org

3

4© Copyright 2015

FREQUENT QUESTIONS ABOUT INTEGRATED REPORTING ()

Integratedreporting

Improvement ofthe stakeholder

engagementprocess

Compatibility/Conformancewith reportingrequirements

Businessperformance

Short, medium

, long term value creation

The potential benefits of are diverse2 (Eccles and Armbrester, 2011; ACCA, 2014; Crutzen, 2014):

Improvement of the stakeholder engage-ment process: contributes to betterrelations with all stakeholders and greaterunderstanding of their expectations. Key sta-keholders such as providers of financial capi-tal, analysts and data vendors seek accurateinformation. Typically this concerns informa-tion that is not wholly reflected in the finan-cial accounts because of the intangible valueof certain capitals. In addition, this engagement process hasmarket side effects in terms of reduction ofcost of capital, competitiveness, communica-tion with different categories of customers,reduction of supply-chain risks due to inter-actions with vendors and enhancement ofthe organization’s reputation and brand.

Business performance: process helpsa better understanding of the key perfor-mance indicators reflecting the organiza-tion’s business model and strategy, as well as

2 Cf. Understanding transformation: Building the businesscase for Integrated Reporting (IIRC, 2002) and Realizing thebenefits:The impact of Integrated Reporting (IIRC, 2014).

Pioneers’ motivations for implementing are to: undo the inefficiencies of having sepa-

rate reports and reporting processes; break down corporate silos and inspire

more joined-up thinking; provide stakeholders with a one-stop-

shop corporate narrative regardingvalue creation and performance onmaterial issues;

be logical and natural when sustainabi-lity is already embedded in their corebusiness.

From GRI (2013), The sustainability contentof integrated reports – a survey of pioneers.

5© Copyright 2015


the execution of this strategy. These metricscan be shared by different functions toimprove decision making and capital alloca-tion. It contributes to the enhancement ofrisk management systems by aligning theorganization’s risks more closely with itsopportunities. As conveys corporate values, it also haspositive impacts on current and prospectiveemployees’ performance3.

Compatibility/conformance with internaland external reporting requirements.Organizations are facing increasing demandfor financial and non-financial reporting.Whether contractual or regulatory, organiza-tions should be prepared to fulfill thesereporting requirements and provide assu-rance to those charged with governance.

All these benefits contribute to short, mediumand long term value creation. is intendedto become a pillar for the reputation of the orga-nization and an opportunity to reveal the intan-gibles.

Why is “integratedthinking” important?External reporting is only one of the outcomesof (Giovannoni E. and Fabietti G, 2013). TTomaintain the process and for a genuine linkagewith value creation, should be embeddedin the business through “integrated thinking”which is the way to more meaningful manage-ment through: effective knowledge management between

key players (directors, executive and opera-tional managers, financial and sustainabilityreporters, risk managers, internal auditors,etc.);

3 cf. www.theiirc.org for research papers on the positiveimpacts of on employees. 4 This paper was released in July 2014 by the IIRC “in order todebate the practical and technical challenges in ensuringcredibility and trust in . A summary of the feedbackreceived will be published by the IIRC in early 2015.

Integrated thinking is the active considera-tion by an organization of the relationshipsbetween its various operating and functio-nal units and the capitals that the organi-zation uses or affects.Integrating thinking leads to integrateddecision-making and actions that considerthe creation of value over the short, mediumand long term.

Assurance on : an introduction to thediscussion. The IIRC (2014), p 5.4

alignment with other management tools(such as business plans, balanced scorecards,budgeting systems, tracking and reportingtools on social and environmental issues,quality management systems, etc.);

development of ad hoc management sys-tems to overcome silo-thinking.

Integrated thinking is a field where internal auditcan be instrumental in disseminating its broadknowledge of the organization and leveragingits close interactions with the different keyplayers of .

http://www.theiirc.org

6© Copyright 2015


Financial reporting Integrated reporting

Thinking Isolated Integrated

Stewardship Financial capital All forms of capital

Focus Past, financial Past and future, connected, strategic

Timeframe Short term Short, medium and long term

Trust Narrow disclosures Greater transparency

Adaptive Rule bound Responsive to individual circumstances

Concise Long and complex Concise and material

Technology enabled Paper based Technology enabled

How is different?

For more details: Towards Integrated Reporting. The IIRC (2011)

BRIE

FIN

G F

OR

BOA

RD M

EMBE

RSA

ND

SEN

IOR

MA

NA

GEM

ENT

© Copyright 20157

What should be my role asa board member or seniormanager?Those charged with governance need to be especiallyinvolved in . They are responsible for setting the reporting strategy(goals, level of aggregation, main users, milestones, etc.)and governance (key players, oversight structure, integrityand ethical values, etc.) of the organization. Their involve-ment prevents from being an empty mechanism withno value for the business. In this way, they foster: tone at the top regarding transparency and accounta-

bility; integrated thinking in operational and strategic deci-

sions; a broad view of all the capitals needed and available for

value creation; a proper governance structure with defined roles for

relevant board committees; engagement with strategic stakeholders; anticipation of external reporting requirements and

change needed within the organization; clarification of the responsibilities of internal assurance

functions.

As is principle based, the direction set by board mem-bers and senior management is critical for the definition ofeach organization’s ambition, structures, procedures andlevel of assurance needed. Accordingly, they should in par-ticular clarify their expectations regarding internal auditactivity and its involvement at the very early stage of an approach.

8© Copyright 2015

BRIEFING FOR BOARD MEMBERS AND SENIOR MANAGEMENT

What could be thepotential challenges?The main challenge of is to really embedthe core concepts and principles within theorganization. Moreover the mood of integratedreport leads to move forward over some existingpractices (mandatory reporting constraints,"business secret", etc.) since it addresses the ope-rational performance.Due to existing reporting habits, some can bedifficult to implement (such as the reporting ofvalue creation based on intangibles, concisenessvs. completeness, transparency vs. competitive-ness, reporting constraints vs. operational per-formance, etc.).A reporting strategy should be establishedand periodically revised to determine the rightbalance as regards: the scope and supporting information of the

organization’s integrated report; communication of long term objectives or

sensitive information on strategy; management of several business models due

to diverse markets and production areas; comparability without established and

shared standards for each type of capital; the processes ensuring the quality of disclo-

sures; the level of assurance needed; materiality, particularly for non-financial risks.

Which key functionsare involved?Due to its internal control, risk management andgovernance issues, the “three line of defense”model can contribute to the implementation andenhancement of .

The three lines of defense model distinguishesamong three groups (or lines): Functions that own and manage risks.

They also are responsible for implementingcorrective actions to address process andcontrol deficiencies.

Functions that oversee risks. Their roleincludes assisting management in develo-ping processes and controls. Relevantsecond line of defense functions for are:risk management, internal control, legal,finance, controlling, IT, HR, investor relations,sustainability, quality management, custo-mer satisfaction, safety and environment, etc.

Functions that provide independentassurance. Based on the highest level ofindependence and objectivity within theorganization, internal audit provides assu-rance on the effectiveness of governance, riskmanagement, and internal controls, inclu-ding the manner in which the first andsecond lines of defense achieve risk manage-ment and control objectives.Reliable work (monitoring tools, self-assess-ments, tests) performed by the second lineof defense should be used by internal audi-tors. This coordination can take the form ofjoint audits, discussion of work papers, sharedrisk assessments, promotion of the workdone by others, etc.

Sound governance, risk management andcontrol processes are fundamental enablersof .

Recognized frameworks such as COSO ERM(Enterprise Risk Management) and IC (Inter-nal control) must be leveraged.

For more information, visit: www.coso.org

9© Copyright 2015


As part of its natural contribution to the organi-zation’s value creation, internal audit has severalreasons to take part in . Indeed, internalaudit’s role and positioning is closely alignedwith objectives such as: holistic understanding of the organization’s

strategy and performance; engagements regarding the different type of

capitals; close interactions with a broad range of inter-

nal and external stakeholders;

connectivity and reliability of informationwhich becomes critical as disclosures needto be more and more precise.

can be time and resource consuming. Fororganizations seeking a more effective and effi-cient approach, internal audit can be instrumen-tal in the implementation of this new initiative.

IIA (2013a). Position paper, The three lines of defense in effective risk management and control.

Governing Body / Board / Audit Committee

External Audit

RegulatorSupervisory authorities

Senior Management

1st Line of Defense 2nd Line of Defense 3rd Line of Defense

ManagementControls

Internal ControlMeasures

InternalAudit

Financial Control

Security

Risk Management

Quality

Inspection

Compliance

The Three Lines of Defense Model

10© Copyright 2015


10 questions board members and seniormanagement should ask their chief auditexecutive

1. What is the demand (mandatory or voluntary) for integrated reports?

2. What is the chief audit executive’s knowledge of the organization’s strategy?

3. What is internal audit’s role in the existing disclosure mechanisms? Responsibilities regarding different kinds of internal and external reporting (financial, sustaina-

bility, corporate governance, remuneration, etc.).

4. How does internal audit understand its existing and future role around ? Is this role part of a formalized internal audit strategy? Are any new engagements planned in this area? Has internal audit considered the significant risks related to while developing its audit plan?

5. Is internal audit well positioned with sufficient scope for this new role? Is the interaction with those charged with governance sufficient? What is internal audit’s coverage of the organization’s stakeholders map and reporting scope?

6. Are internal audit resources adequate for this strategic role? Is the internal audit activity’s sourcing strategy aligned with issues? Do internal audit staff have sufficient knowledge of the organization’s complexity to deal with

connectivity issues? What about soft skills (ability to listen, critical thinking, etc.)? Is the internal audit budget sufficient to have the number of staff needed for an appropriate

coverage of the scope?

7. How does internal audit manage potential impairments to objectivity? For example, in thecase of : an assurance engagement following an advisory role; reliance on other assurance providers.

8. Is the quality assessment program in conformance with professional standards?

9. How does internal audit facilitate “integrated thinking”?

10.How does internal audit coordinate with second line of defense functions? What is the assurance map of the process?

Titre paragraphe

ENHANCINGINTEGRATEDREPORTING

A GUIDE FOR INTERNAL AUDITAND RISK PRACTICTIONERS

A G

UID

E FO

R IN

TERN

AL

AU

DIT

AN

D R

ISK

PRA

CTIC

TIO

NER

S

© Copyright 201513

This paper is released with a shorter briefing that providesan overview of issues for senior management andthose charged with governance.The task force proposals follow the structure of the Framework with:

Three fundamental concepts: value creation over time; capitals (financial, manufactured, intellectual,

human, social and relationship, and natural capital); value creation process.

Seven guiding principles, articulated by the task forcearound three categories for the purposes of this discus-sion:

Seven content elements5, also articulated by the taskforce around three categories for the purposes of thisdiscussion:

5 The content elements: “Basis of preparation and presentation” and“General reporting guidance” are discussed throughout the document.

Point of focus ofthe task force

guiding principlesrecommended by the IIRC

Strategy andconnectivity

• Strategic focus and future orientation• Connectivity of information

Significance andaccessibility

• Stakeholder relationships• Materiality• Conciseness

Soundness andfairness

• Reliability and completeness• Consistency and comparability


content elementsrecommended by the IIRC

Context andstructures for valuecreation

• Organizational overview andexternal environment

• Governance• Business model

Goals andoutcomesmonitoring

• Strategy and resource allocation• Performance

Dealing with theeffects ofuncertainty

• Risks and opportunities• Outlook

14© Copyright 2015

A GUIDE FOR INTERNAL AUDIT AND RISK PRACTICTIONERS

With its broader scope, concepts and prin-ciples raise potential challenges for organiza-tions. This document highlights various waysin which internal audit can add value byenhancing the content of the integratedreport and the process as a whole.Indeed internal audit is well suited to providinga broad range of assurance and advisory services(see appendix 2 “The fan“). Internal auditorsadd value by performing engagements inconformance with the professional principles ofthe IIA’s code of ethics and standards.Regarding the reporting process, internal auditcan answer such questions as:

1. What are the existing governance, riskmanagement and control processes to beleveraged by the organization for pur-poses?

2. Does the scope of the process adequa-tely cover the material activities, capitals(including externalized resources) and sta-keholders?

3. Is the underlying process for the productionof the integrated report adequate?

4. Does the scope reflect the organiza-tion’s reporting strategy?

5. Is the information conveyed in the integra-ted report reliable?

6. What is the level of understanding of concepts and principles within the organi-zation?

7. Are key information providers to the integra-ted report (such as the risk managementfunction, investor relations, financial and sus-tainability reporting preparers) strategicallyaligned and future focused?

8. Are the responsibilities of the functionsinvolved in the process clearly defined?Are communication lines effective?

9. How is connectivity taken into account inthe organization’s IT governance?

10. Is financial and non-financial informationcorrectly linked in the organization’s valuecreation process? And in its external com-munication?

11. Is the information on the nature and themateriality of the interactions with stakehol-ders for the value creation process over timereliable?

12. Is web technology sufficiently leveraged foreffective communication with stakeholders?

13. Does the process of selecting the organiza-tion’s key stakeholders reflect capital owner-ships and emerging trends?

14. Are the organization’s responses to signifi-cant crises impacting key stakeholders ade-quate?

15. Do materiality determination processesensure consistency between the organiza-tion’s value creation model and the risk cri-teria (risk appetite, risk tolerance threshold,etc.) defined in its risk management system?

16. Are materiality thresholds taken intoaccount in decision making and in interac-tions with key stakeholders?

17. Are material issues excluded (intentionally orotherwise) from the report?

18. How are cross-references to internal andexternal sources managed and monitored?

19. Does the report adequately balance conci-seness and completeness?

20. Are the standards and rules adopted by theorganization relevant as regards its reportingstrategy and regulatory requirements? Arethey effectively used across the organiza-tion?

Following a discussion of concepts andprinciples, a number of recommendations forthe evaluation of the content elements sugges-ted by the IIRC are set out hereafter.

FU

ND

AM

ENTA

L CO

NCE

PTS

AN

D P

RIN

CIPL

ES

© Copyright 201515

In this section we will focus on the concepts and principlesdeveloped by the IIRC and discuss a number of potentialchallenges and enablers for chief audit executives.

fundamentalconceptsThe fundamental concepts underpin and reinforce therequirements and guidance in the Framework.The Framework states that “the ability of an organi-zation to create value for itself is linked to the value itcreates for others.” Therefore organizations should report on how they interactwith the external environment and use different combina-tions of capitals to create value over time for different setsof stakeholders. The capitals identified in the Frameworkare financial, manufactured, intellectual, human, socialand relationship, and natural.The value creation process and its associated capitals auto-matically fall within the scope of internal auditing as defi-ned by the IIA: “Internal auditing is an independent,objective assurance and consulting activity designed to addvalue and improve an organization’s operations. It helps anorganization accomplish its objectives by bringing a syste-matic, disciplined approach to evaluate and improve theeffectiveness of risk management, control and governance

An effective process should leverage the existinginternal control and risk management systems. Thescope of these systems is not limited to the reliabilityof financial reporting. For example: The COSO InternalControl Integrated Framework (2013) explicitlyextended the scope of reporting objectives to non-financial information. Some principles of the COSOframework focus on specific resources such as humancapital (principle 4) and IT (principle 11). The impactsof outsourced services on internal control effectivenessare discussed.

Strategic objectives and opportunities are described in theCOSO Enterprise Risk Management Framework(2004).

16© Copyright 2015

FUNDAMENTAL CONCEPTS AND PRINCIPLES

processes” 6. As such internal audit as an unres-tricted scope not limited to financial capital.

An effective contribution of internal audit to thevalue creation process will depend on its autho-rity and resources, through: The right positioning to be able to serve

those charged with governance. “To achievethe degree of independence necessary to effec-tively carry out the responsibilities of the internalaudit activity. The chief audit executive hasdirect and unrestricted access to senior mana-gement and the board.” 7

A broad scope with unrestricted access tothe required information, consistent with theambition of . And, where applicable,consideration of the organization’s stakehol-ders map and materiality analysis.

Adequate competencies (whether in-house,

co-sourced or outsourced), to provide reaso-nable conclusions related to each categoryof capitals and their connected effects.

An internal audit plan reflecting the organi-zation’s strategy in the short, medium andlong term. This could mean a paradigmchange as internal auditors are traditionallyrisk focused but they are also able to developan opportunity based approach.

A clear definition of internal audit’s rolewith regards to the other lines of defense.

With their knowledge of the organization, inter-nal auditors can take advantage of the broadscope of their engagements and their conti-nuous interactions with the other lines ofdefense to help organizations accomplish activities.

6 Definition of internal auditing, The IIA (2013a).7 IIA Standard 1100 Independence and objectivity.

Mission and vision

Inputs Businessactivities Outputs Outcomes

Business model

Financial

Intellectual

Manufactured

Human

Natural

Social and relationship

Financial

Intellectual

Manufactured

Human

Natural

Social and relationship

External environment

Risks andopportunities

Strategy andressource allocation

Performance Outlook

Value creation (preservation, diminution) over time

The value creation process. The IIRC (2013) , p13

17© Copyright 2015


guidingprinciples The guiding principles underpin the preparationand presentation of an integrated report, infor-ming the content of the report and how infor-mation is presented.

The role of internal audit may relate to the IIRCprinciples in various capacities.The principles of “strategic focus and futureorientation” and “connectivity of information”relate to the strategic role of internal audit insupport of those charged with governance andwithin the three lines of defense model. The principles of “reliability and completeness”and “consistency and comparability” refer tomore operational and traditional roles for inter-nal auditors. Based on its maturity, internal auditis also able to contribute to the three other principles: “stakeholder relationship”, “materia-lity” and “conciseness”.

1. Strategy andconnectivity Through its close relationships with those char-ged with governance, engagements with diffe-rent categories of functions and an in-depthknowledge of the organization, internal audit

can contribute to the strategic ali-gnment and connectivity of inte-grated reporting.

Strategic focus and futureorientation“An integrated report shouldprovide insight into the organi-zation’s strategy, and how itrelates to the organization’sability to create value in theshort, medium and long term,

and to its use of and effects on the capitals.”

To support future-focused activities and provideuseful insights to those charged with gover-nance, internal audit need to be strategically ali-gned through: an adequate reporting line to the highest

level within the organization as well as a for-malized internal audit strategic plan;

the ability to encompass value creation aswell as value destruction, which means abroader and proactive assessment of diffe-rent kind of uncertainties;

relevant and objective communication tothose charged with governance8. For exam-ple, about the effect of the organization’sactivities on the future availability and qualityof the different capitals.

Internal auditors are able to contribute to thelearning curve of their organization by challen-

8 About reportings to senior management and the board seestandard 2060 (The IIA, 2013a).


guiding principlesrecommended by the IIRC

Strategy andconnectivity

• Strategic focus and future orientation• Connectivity of information

Significance andaccessibility

• Stakeholder relationships• Materiality• Conciseness

Soundness andfairness

• Reliability and completeness• Consistency and comparability

18© Copyright 2015


ging the assumptions of some strategic deve-lopments or providing feedback on the lessonslearned from past experiences.

Connectivity of information“An integrated report should show a holis-tic picture of the combination, interrela-tedness and dependencies between thefactors that affect the organization’s abi-lity to create value over time.”

Connectivity is an underlying principle of thethree lines of defense model9: “Without a cohe-sive, coordinated approach, limited risk and controlresources may not be deployed effectively, andsignificant risks may not be identified or managedappropriately.” Internal audit contributes to thiscomprehensive overview of the organization’sactivities by providing independent assurance.

On this topic, internal audit can contribute by: having a broad and cross-functional scope, it

is one of the best corporate functions forreviewing the reliability of different sourcesof information as well as the consistency ofthe content elements. For example, consis-tency between “external environment” and“risks and opportunities”; “value creation overtime” and “outlook”; “balanced effects onvarious forms of capital” and “strategy”,“resource allocation” and “outlook”;

making appropriate recommendations for“coordinating the activities of and communica-ting information among the board, externaland internal auditors, and management.” 10

relying on other assurance providers, therebylimiting unnecessary duplication.

To strengthen connectivity, internal auditors pro-vide insights for the establishment of a soundreporting structure based on integrated thin-king. As such, they contribute to mitigating com-pliance and reputation risk.

2. Significance andaccessibility Materiality is a classical element of audit metho-dology. However, it takes on another dimensionwhen determining non-financial impacts. In an approach, significance of the organization’sactivities is determined not only based onmonetary thresholds but also includes an analy-sis of stakeholders’ relationships. The definitionof materiality is key to meeting stakeholders’needs and selecting important information aspart of the conciseness objective of the report.

9 Position paper The three lines of defense in effective riskmanagement and control. The IIA (2013a).10 Standard 2110 Governance IIA (2013a).

Examples of sources considered in thestakeholder engagement process: customer satisfaction and customer com-

plaints; climate surveys and internal communica-

tion; communication with analysts and inves-

tors; questionnaires from sustainability rating

agencies; interaction with representative and cate-

gory associations; institutional relations at national and

local level; union relations; media monitoring and surveys.

Mio and Fasan “The case of Enel” in Busco(2013)

19© Copyright 2015


Stakeholder relationships“An integrated report should provideinsight into the nature and quality of theorganization’s relationships with its keystakeholders, including how and to whatextent the organization understands,takes into account and responds to theirlegitimate needs and interests.”

Due to the diversity of capitals taken intoaccount in an integrated report, there is an evenmore diverse category of stakeholders whichcan be providers of these capitals or be affected(in the short or long term) by the organization’sactivities. The risks and opportunities underlyingstakeholder relationships should then be mana-ged at the relevant level within the organization.

The scope and competence of internal audit issufficiently broad to encompass all kinds of sta-keholder relationships11. To facilitate internal debates about the potentialcontradictions between different stakeholders’needs and interests, the chief audit executiveshould: ensure that the internal audit activity has

access to information about key stakehol-ders;

encourage regular meetings with the mainfunctions that deal with external stakehol-ders (investor relations, customer depart-ment, IT, etc.) as well as with the riskmanagement and internal control functionsin charge of following up risk mitigationaction plans.

sustain balanced internal communication onthe representativeness of the stakeholderengagement process. For example, does itonly focus on mainstream actors? Does ittake into account future interests?

review the inclusion of legitimate stakehol-ders’ needs in decision-making processes.

All these internal audit assurance and advisoryactivities contribute to the quality of the interac-tion with strategic partners.

Materiality“An integrated report should discloseinformation about matters that substanti-vely affect the organization’s ability tocreate value over the short, medium andlong term.”

To manage their risks and opportunities, organi-zations are used to evaluating the significanceof the impacts of uncertainties on its objectives.In the context, this analysis should conti-nue to be based on the risk appetite and thres-holds set by those charged with governance.However, it takes another dimension due to thediversity of information disclosed in the reportand the objective of interconnectivity.

11 For example, there are several revelant practice guides inthe current IPPF (IIA, 2013a) : Auditing external business rela-tionships; Evaluating corporate social responsibility; GlobalTechnology Audit Guide on IT outsourcing, etc.

Major challenges of assurance providersare: lack of detailed knowledge of the firm

which is key for non-financial information lack of quantitative thresholds in order to

assess materiality subjectivity in the materiality determina-

tion process traditional accounting reporting is back-

ward-oriented while materiality contentshould be in accordance with the guidingprinciple of IR “strategic focus and futureorientation”.

Mio “Materiality and assurance: Building thelink” in Busco (2013)

20© Copyright 2015


Given their knowledge of the organization, inter-nal auditors are well positioned to sustain themateriality determination process for . Thisinput may be influenced by: the results of their engagements regarding

the achievement of operational and repor-ting objectives;

the conclusions of their review of the organi-zation’s risk management system;

benchmarks regarding industry informationand stakeholders’ communication.

Through regular discussion with risk manage-ment functions and the conclusions of its ownengagements, internal audit can effectively andefficiently evaluate the significance of variousevents, activities and decisions and assess if theorganization has presented a balanced report ofthe material issues.

ConcisenessAn integrated report should be concise.

One ambition of is to reduce the com-plexity and volume of information that is repor-ted by organizations. The guiding principle ofconciseness encourages organizations to focuson the material aspects of its value creation story,while eliminating redundancies and unneces-sary detail. To anticipate resistance to change,internal audit can contribute to the concisenessobjective in a number of ways, including: facilitate discussion between the reporting

functions; evaluate compliance risks resulting from

unbalanced reporting as regards concisenesson the one hand, and materiality or comple-teness on the other.

This principle is critical for effective reporting andensuring value for key stakeholders.

3. Soundness andfairnessOrganizations may face reputation risks or sufferfrom ineffective interaction with stakeholdersdue to the poor quality, comprehensiveness oraccuracy of their disclosures.In order to mitigate these risks, the Frame-work includes guiding principles that are focu-sed on the soundness and fairness of theinformation presented in an integrated report.

Reliability and completeness“An integrated report should include allmaterial matters, both positive and nega-tive, in a balanced way and without mate-rial error.”

Reliability is the cornerstone of any accountabi-lity mechanism. Therefore data integrity andcomprehensiveness are objective criteria of theorganization’s commitment to . The mainchallenge is the diversity of data providers andreporting mechanisms linked to the integratedreport. The Framework states that reliability:“is enhanced by mechanisms such as robustinternal control and reporting systems, stakehol-der engagement, internal audit or similar func-tions, and independent, external assurance.”

It is not the responsibility of internal audit todetermine what information must be disclosedor not. Disclosure structure and authority mustbe validated by those charged with governance.Nevertheless, internal audit can: provide an overall opinion on the internal

control system related to the reportingobjectives and the disclosure process;

review the reliability of the continuousassessment performed by internal controland risk management functions to provide

21© Copyright 2015


12 Practice Advisory 2320-2, Root Cause Analysis (IIA, 2013 ).

an assurance that significant misstatementsare detected and followed up;

assess key reporting tools and automatedcontrol activities;

challenge the reliability of the assumptionsunderlying future oriented information.

By enabling sound root cause analysis12, internalaudit can contribute to reducing errors andintentional misstatements.

Consistency and comparability“The information in an integrated reportshould be presented: (a) on a basis that isconsistent over time; and (b) in a way thatenables comparison with other organiza-tions own ability to create value over time.”

The data used for the integrated report are notnecessarily based on shared rules or commonpractices within the organization and its stake-holders. While accounting standards can beused to mitigate data inconsistency over finan-cial reporting, there are some major challengesaround the consistency and comparability ofnon-financial information. Internal audit can: provide assurance on the establishment of

shared rules facilitating consistency andcomparability;

review risk control (including continuousmonitoring) performed by second line ofdefense functions;

benchmark against other organizationswithin and outside the industry, to highlightkey inconsistencies.

Thanks to its knowledge of the organization andits familiarity with external and internal reportingstandards, internal audit can facilitate the adop-tion of best practices aligned with the organiza-tion’s reporting strategy and promote integratedthinking.

INTE

RNA

L A

UD

IT R

OLE

S A

ROU

ND

THE

CO

NTE

NT

ELEM

ENTS

© Copyright 201523

The content of an organization’s integrated report willdepend on the individual circumstances of the organiza-tion. However, the Framework recommends severalcontent elements, stated in the form of questions ratherthan as checklists of specific disclosures, that are funda-mentally linked to each other and not mutually exclusive.

The content elements recommended by the IIRC havebeen grouped by proximity with regards to governancerisk and control issues:

After an overview of these issues, the task force suggesteda number of actions for involving internal auditors in thisarea.

Context and structures forvalue creationThe organization’s governance structure (such as roles, res-ponsibilities, communication flows, cooperation betweenvarious functions, etc.) should be aimed at creating an inte-grated thinking process leading to reliable and efficientintegrated reporting. Internal audit is experienced and well positioned to reviewthe effectiveness of such governance processes. Theirknowledge of the organization helps facilitate potentialchanges in the governance structure in meeting the objec-tives of integrated reporting while taking into account thecontext.


content elementsrecommended by the IIRC

Context andstructures for valuecreation

• Organizational overview andexternal environment

• Governance• Business model

Goals andoutcomesmonitoring

• Strategy and resource allocation• Performance

Dealing with theeffects ofuncertainty

• Risks and opportunities• Outlook

24© Copyright 2015

INTERNAL AUDIT ROLES AROUND THE CONTENT ELEMENTS

1. Organizationaloverview and externalenvironmentAn integrated report should answer the follo-wing question: What does the organization do and what arethe circumstances under which it operates?This element includes the organization’s missionand vision and provides information regardingits operating structure, principal activities andmarkets, and competitive landscape. Additio-nally, disclosure of significant factors impactingthe organization's external environment (i.e.legal, commercial, social, environmental andpolitical context) should be included.

Internal audit efforts over this principle cantake different forms: challenging the disclosure and its prepara-

tion process. This challenge could be basedon: conclusions over the organization’s

control environment, reliance on other assurance providers, reviews of the governance, risk manage-

ment and control processes supportingthe screening of the external environ-ment, etc.;

assessing the alignment of the organization’smechanisms around with its integrityand ethical values;

challenging the capitals disclosed by theorganization in relation with its businessmodel;

evaluating the adequacy of the organiza-tion’s processes that define and monitor itsresponses to external events;

providing insight on environmental threatsand opportunities. This role will depend on

the maturity of the risk management systemand on the knowledge present in the internalaudit capabilities.

Recommendation: Audit value isexpected through reviewing or challen-ging disclosures regarding the organi-zation’s values and providing assuranceon the external environment screeningprocesses.

2. GovernanceAn integrated report should answer the follo-wing question: How does the organization’s governancestructure support its ability to create value inthe short, medium and long term?

Internal audit efforts over this principle cantake different forms: providing insight to governance bodies on

principles and best practices; evaluating the effectiveness and efficiency of

the steering, coordination and monitoringmechanisms (or functions) regarding ;

assessing clarity of ownership, including areview of potential inconsistencies within theorganization structure or the stakeholderengagement process;

reviewing commitment to transparency andaccountability;

IIA standard 2110 states that: The internalaudit activity must assess and makeappropriate recommendations for impro-ving the governance process (...)

A close relationship with senior manage-ment and the board is instrumental in fulfil-ling this role.

25© Copyright 2015


reviewing the design and effectiveness of thechange in program, where applicable;

contributing to the improvement of integra-ted thinking. For example by: focusing on connectivity issues and soft

controls, reviewing data integrity, assessing whether integrated thinking is

embedded in the organization (clear rules,tone at the top, open discussion aroundintegrated reporting/thinking issues, etc.),

reviewing proper cooperation betweenbusiness lines and expertise functions(such as risk management, internalcontrol, legal, finance, IT, HR, investor rela-tions, sustainability, quality management,customer satisfaction, safety and environ-ment, etc.).

Recommendation: Internal auditshould review the governance around, including integrated thinking andthe contribution to value creation, witha focus on soft controls.

3. Business modelAn integrated report should answer the follo-wing question: What is the organization’s business model?The IIRC presents business models as the core ofthe organization’s value creation process.

Recommendation: Internal auditshould review the accuracy of the orga-nization’s business model as describedin the report.

Internal audit efforts over this principle cantake different forms: evaluating the alignment of the business

model description with the organization’sdisclosure strategy;

reviewing the efficient use of the differentcapitals and their effects on the businessmodel;

informing those charged with governanceon gaps due to the diversity of businessmodels within the organization;

evaluating how the organization monitorsinternal and external changes and theirpotential impacts on the business model.

Goals and outcomesmonitoring These content elements (”strategy and resourceallocation“ and ”performance“) are particularlylinked to the principles of “strategic focusand future orientation” and “reliability and com-pleteness”. They should be consistently treatedin internal and external reporting to illustratehow the business model contributes to valuecreation over time.

To maintain an effective internal control,organizations should identify and analyzesignificant change especially the changes intheir business model: “The organizationconsiders the potential impacts of new busi-ness lines, dramatically altered composi-tions of existing business lines, acquired ordivested business operations on the systemof internal control, rapid growth, changingreliance on foreign geographies, and newtechnologies”.

COSO (2013) Principle 9

26© Copyright 2015


1. Strategy and resourceallocationAn integrated report should answer the follo-wing question: Where does the company want to go andhow does it intend to get there?

Organizations achieve the strategic and businessobjectives set by those charged with gover-nance through strategic plans, supported byresource allocation and action plans, whichhighlight the organization’s business model andhow it creates value over time. These plansshould be sustained by effective risk responsesand maximized opportunities.

Recommendation: Internal audit cancontribute to the improvement of thestrategic planning process and assess itsalignment with the organization’s mis-sion and resource allocation.

Internal audit efforts over this principle cantake different forms: reviewing the strategic planning process in

order to: assess conformance with the organiza-

tion’s mandate, the mission and values setby those charged with governance,

challenge the methodology (forward loo-king, open to outside views, logic and rea-lity of the assumptions, robust checks andbalances, etc.),

evaluate the supporting functions; providing assurance on the level of justifica-

tion and validation of any significant strategicchange;

evaluating the alignment of the strategicalternatives with the organization’s risk appe-tite;

evaluating if business objectives closelyreflect the strategic plan;

providing insights, based on root cause ana-lysis of the gaps identified, including diffe-rences between planned and actual budget;

reviewing the alignment of resource alloca-tion with strategic objectives and the exis-tence or availability of key capitals;

discussing, with those charged with gover-nance, opportunities for improving boardoversight of strategic planning;

holding discussions with the chairman of theboard committee in charge of internal auditactivities (generally the audit committee) toensure connectivity with other relevantboard committees.

2. PerformanceAn integrated report should answer the follo-wing question: To what extent has the organization achie-ved its strategic objectives for the period andwhat are its outcomes in terms of effects onthe capitals?

Organizations have different performance mea-surement and monitoring mechanisms. Internalcontrol systems help ensure sufficient oversightand information flows. The principle ofconnectivity is particularly important in thiscontent element.

Tone at the top is key: “Management, withboard oversight, sets entity-level objectivesthat align with the entity’s mission, vision,and strategies. These high-level objectivesreflect choices made by management andboard of directors about how the organiza-tion seeks to create, preserve, and realizevalue for its stakeholders”.

COSO (2013)

27© Copyright 2015


Recommendation: In evaluating thegovernance and internal control pro-cesses related to performance, internalaudit contributes to the quality of theinformation used for decision-makingor disclosed in the integrated report.

Internal audit efforts over this principle cantake different forms: evaluating if the report reflects internal

indicators about the achievement of objec-tives;

evaluating the reporting strategy of the orga-nization and the adequate communicationof the KPIs to the disclosure functions;

reviewing the design and selection of key(quantitative and qualitative) performanceindicators: do they reflect stakeholders’ legitimate

interests? are they sufficiently clear? are they compliant with legal require-

ments and the organization’s integrityvalues or transparency commitment?

are they updated specifically in order toimprove the organization’s disclosure onits value creation process?

do they target current and emerging keystakeholders?

reviewing internal control related to the pre-paration and processing of data, in order to: challenge assumptions and methods

underlying the collection, verification andprocessing of input data,

review underlying IT tools13, address connectivity challenges, perform root cause analysis of significant

gaps between planned and actual KPIs, give an opinion on the degree to which

indicators are accurate and free fromerrors or voluntary misstatements;

coordinating with the second line of defensein charge of the continuous monitoring ofthe KPIs;

providing benchmarks, information and trai-ning.

The internal audit activity must assess andmake appropriate recommendations forimproving the governance process in itsaccomplishment of the following objectives;[…] ensuring effective organizational per-formance management and accountabi-lity…

Standard 2110 (The IIA, 2013a)

Good practices for the review of KPIs : Do they cover each dimension of the

value creation (competitors and bestpractices, the entire value chain, etc.)?

Do they reflect economic, environmental,and social issues?

Is their determination formalized? (pur-pose, reason why it is “key”, calculationmethod, source of data or assumptions,etc.)

Are the KPIs comparable over time andbetween organizations?

Are they monitored? Are the reasons forsuccess and failure discussed?

Are they sufficiently forward-looking?

Bartolini, Santini, and Silvi : “PerformanceMeasurement and Capitals” in Busco (2013)

13 Standard 2110.A2, IT Governance (The IIA, 2013a).

28© Copyright 2015


Dealing with theeffects of uncertaintyAssessing risks and opportunities is part of anyrisk management process which aims tomanage their potential impacts on the achieve-ment of objectives. The outlook section may bechallenging to disclose as it is linked to sensitivesubjects such as the organization’s strategy andfuture performance.

1. Risks andopportunitiesAn integrated report should answer the follo-wing question: What are the specific risks and opportunitiesthat affect the organization’s ability to createvalue over the short, medium and long term,and how is the organization dealing withthem?

As defined by risk management frameworks, theidentification of risks and opportunities shouldcover their potential effects on all of the organi-zation’s categories of objectives (strategic, ope-rational, compliance, financial and non-financialreporting).

Recommendation: Internal audit canassess if the integrated report includeskey information about the risk manage-ment process.

Internal audit efforts over this principle cantake different forms: as part of its annual audit plan, internal audit

contributes to monitoring and analyzingpotential external environment impacts;

regularly reviewing the adequacy of the riskmanagement system14;

providing “assurance on the effectiveness ofgovernance, risk management, and internalcontrols, including the manner in which the firstand second lines of defense achieve risk mana-gement and control objectives”15;

reviewing consistency, integrity and reliabilityof disclosures regarding risks and opportuni-ties;

ascertaining the scope of the risk manage-ment process. Does it cover all the relevantcapitals and stakeholders? Does it give a suffi-cient overview of short, medium and longterm effects? Does it consider opportunities?

The efficiency of risk management processesdepends on different factors such as the over-

Organizations are increasingly deployingrisk management functions as part of theirsecond line of defense.

According to the IIA Position paper: Thethree lines of defense in effective risk mana-gement and control, “the risk managementfunction typically facilitates and monitorsthe implementation of effective risk mana-gement practices by operational manage-ment and assists risk owners in defining thetarget risk exposure and reporting adequaterisk-related information throughout theorganization.” One of the outputs of the riskmanagement function is the risk map,which may be used in the preparation ofCorporate governance reports, especiallyfor listed companies.

“Internal auditors provide the governingbody and senior management with com-prehensive assurance based on the highestlevel of independence and objectivity withinthe organization.”

14 See IPPF Practice Guide, Assessing the adequacy of riskmanagement (The IIA, 2013a).15 Position paper, The three lines of defense in effective riskmanagement and control (The IIA, 2013a).

29© Copyright 2015


sight of those charged with governance and thelevel of assurance provided to them. In thesecond line of defense, several functions (inter-nal control, risk management, IT security, corpo-rate social responsibility, etc.) contribute to thisassurance. Mapping risks with assurance functio-nal responsibilities illustrates the coordinationefforts.

Recommendation: The disclosure of an“Assurance Map” in the integratedreport is valuable to those charged withgovernance and key stakeholders. Inter-nal audit can contribute to the reliabilityof this information.

Internal audit efforts over this principle cantake different forms: as the independent line of defense, challen-

ging assessments from other functions; facilitating the establishment of an assurance

map for significant risks.

Recommendation: effectiveness islinked to the quality of key risk criteriaand indicators. Internal audit can contri-bute to improving the design and moni-toring of these elements.

Internal audit efforts over this principle cantake different forms: reviewing the process for the establishment

of key risk indicators and their communica-tion across the organization;

evaluating the inclusion of these indicatorsin the integrated thinking and the integratedreport;

assessing the consistency of these indicatorswith the organization’s materiality thresholds;

periodically monitoring the responses (orreviewing assessments carried out by thesecond line of defense or by management)to threshold overruns;

reviewing with the risk management func-tion the appropriate consideration of a for-ward looking approach.

2. OutlookAn integrated report should answer the follo-wing question:What challenges and uncertainties is theorganization likely to encounter in pursuingits strategy and what are the potential impli-cations for its business model or future per-formance?

This question explicitly makes a link with othercontent elements of an integrated report (risksand opportunities regarding uncertainties, busi-ness model, strategy and performance). Basedon the connectivity principle, it could also berelated to other elements such as the organiza-tion’s overview and governance or external envi-ronment.

Recommendation: An integrated reportdiscloses information based on know-ledge of the main challenges of theorganization’s strategy and the actionplans to deal with them. Internal auditactivities should be leveraged for relia-ble disclosures.

COSO 2013 states that “Risk is the probabi-lity that a fact will take place affecting in anegative manner to the objectives of theorganization.” Accordingly, the potentialchallenges or uncertainties the organiza-tion is likely to encounter in the future areidentified in the organization’s assessmentof its strategic, operational, compliance orreporting risks.

30© Copyright 2015


Internal audit efforts over this principle cantake different forms: reviewing the connectivity between external

factors monitored by the organization (e.g.,as part of its risk mapping) and social, legal,economic or environmental uncertaintiesdisclosed in the outlook element;

coordinating regularly with – and reviewing –the risk management function;

assessing the accuracy of the strategic planon which the outlook is based;

providing insight on the internal and externaldynamics of the organization’s value creationprocess.

APP

END

ICES

© Copyright 2015

1. Task force objectivesand approachThe task force is a joint initiative of IIA France (IFACI) and IIASpain (IAI) in collaboration with several European institutesaffiliated to the IIA (Institute of Internal Auditors) such asIIA UK & Ireland, IIA Netherlands and IIA Norway.Due to the early stage of development of , the taskforce believes that there is a need to clarify the role of inter-nal audit by establishing a clear understanding of challenges and benefits. The task force also set out to pre-sent the potential impacts on the interactions with thosecharged with governance and other assurance providers.

Objectives: Identify governance, risk management and control

issues regarding integrated reporting. Provide trends and best practices that help organiza-

tions leverage their internal control and risk manage-ment systems to better use financial and non-financialresources.

Clarify internal auditors’ advisory and assurance rolesduring the implementation and post-implementationphases of integrated reporting processes (for examplein relation to data integrity, adequacy of structures andcontrols, the elements highlighted by the IIRC, etc.).

Establish the specific responsibilities of internal auditand its interaction with other lines of defense withinand outside the organization.

Recommend practical approaches and key success fac-tors.

Approach: Understanding concepts through a literature

review and discussion with the CEO of the IIRC (PaulDruckman) in Madrid in April 2014.

Collating feedback on members’ reporting strategiesand the role of the internal audit function as well as therisk management and internal control functions.

Discussions around each content element and principleof the Framework for linkage with existing practices andemerging roles.

31

32© Copyright 2015

APPENDICES

This diagram is adapted from “Position Statement: The Role of Internal Auditing in Enterprise-wide RiskManagement,” reproduced with the permission of IIA UK & Ireland. For the full statement, visitwww.iia.org.uk. © The Institute of Internal Auditors – UK and Ireland Ltd., July 2004.

2. The fan: several roles for internal audit

Advi

sory

serv

ices d

urin

g pr

e-im

plem

enta

tion

stag

es o

f <IR

>

to fa

cilita

te th

e des

ign

of ad

equa

te co

ntro

ls

Insigh

ts on

the o

rgan

izatio

n’s va

lue cr

eatio

n pro

cess

Imposin

g repor

ting pro

cesses

Taking d

ecisions o

n str

ategy

Accountability for

Faci

litat

ing

the

desi

gn o

f a s

yste

mat

ic a

ppro

ach

to <

IR>

Chal

leng

ing

the

orga

niza

tion

’s re

port

ing

stra

tegy

Chal

leng

ing

the

reas

onab

lene

ss o

f fut

ure

proj

ectio

ns

Championing the establishm

ent of

Facilitating the establishment and evaluation

of the assurance map

Providing assurance on data integrity

Giving assurance that the principles and content elements

of the Framework are correctly taken into account

Reviewing the organizational structure and

key information systems underlying

Giving assurance on the processesProviding information regarding policies andperformance for which internal audit is directly accountable

Core internal audit rolesin regard to

Legitimate internal auditroles with safeguards

Roles internal auditingshould not undertake

Fost

erin

g in

tegr

ated

thin

king

Settin

g mate

riality

levels

Implementing

risk response

s on managem

ent’s behalf

Reviewing key risks and opportunities

Monitoring progress against the targets set

by those charged with governance

Evaluating the adequacy of governance, risk management

and controls processes related to !nancial

and non-!nancial capitals

33© Copyright 2015

APPENDICES

3. Examples of initiatives and internalaudit roles

CSR reporting and in my organizationSolvay also has a strong culture due to its type of industry (chemical products) and customers.The SolvayWay approach (which takes into account the stakeholder engagement process) is implemen-ted throughout the Group, supported by a decentralized network of champions from each key corporatefunction. It is self-assessed and regularly evaluated by internal audit. CSR reporting follows the GRIGuidelines. A task force was set up last year to take the IIRC principles more closely into account. Eachcorporate function (such as internal audit and risk management) is represented in this group. The CSRdepartment is in charge of the task force. The upcoming reporting will be based on the KPIs selectedtogether (the idea is to reduce the number of KPIs, be materiality-focused and oriented towards longterm aspects). Sustainability KPIs are taken into account for the development of new products and the portfolio analysis.

At Danone, Antoine Riboud, one of the co-founders and former CEO of Danone, was a strong advocatefor the so-called "double project". In his words, "the responsibility of a company does not end at theplant's gate" because a company cannot grow and develop itself in isolation from its ecosystem. The-refore, we can say that the integration of business and sustainability issues is in the DNA of Danone. The CEO of Danone, Franck Riboud, Antoine's son, has always maintained this conviction in his variousspeeches and actions. Therefore, it was only natural for Danone to accept the IIRC's invitation to join theIntegrated Reporting pilot program. To lead this project, an internal finance professional with CSR expe-rience was designated. So far, the outputs of the project have not been communicated externally. Inter-nally, many meetings have been and are being held concerning the project, gathering different keyfunctions, including internal audit.

In a benchmark performed by IIA Spain on the IBEX-35 index, internal audit roles in external reportingare centered on: awareness of the audit committee; compliance of ethics related engagements; evaluation of risk management systems; review of the content element of the report; review of internal control in relation to the reporting process; due diligence audit.

34© Copyright 2015

APPENDICES

An non-exhaustive list of risks

Business risks

Company reputation/brand value Business continuity License to operate

Physical risks

Air pollution limits Changes in frequency of extreme weather events Changes in natural resource availability Changes in supply chain and/or customers

Regulatory risks

Uncertainty surrounding new regulations including changes in air quality or emissions stan-dards

Potential for litigation International agreements Carbon taxes and cap and trade schemes Changes in water pricing schemes Emission reporting obligations

Nefedova (2014)

BIBL

IOG

RAPH

Y

© Copyright 201535

Bibliography

ACCA (2014). Understanding investors: the changing cor-porate perspective. The Association of Chartered CertifiedAccountants. February 2014. 29 p.

Busco, C., Frigo, M.L., Riccaboni, A., Quattrone, P. (Eds.). Inte-grated reporting concepts and cases that redefine corpo-rate accountability. 2013. Springer, 350 p.

COSO (2013). Intregated framework on internal control. TheCommittee of Sponsoring Organizations of the TreadwayCommission. May 2013.

COSO (2012). Enterprise Risk Management. Understandingand Communicating Risk Appetite documentation on Riskappetite. The Committee of Sponsoring Organizations ofthe Treadway Commission.

COSO (2004). Entreprise Risk Management (ERM) – Integra-ted Framework. The Committee of Sponsoring Organiza-tions of the Treadway Commission.

Crutzen N. (2013). Corporate sustainability, strategy andaccounting controls: an exploration of corporate practices.Actes du 34ème congrès annuel de l'AFC.

Eccles R. G. and Armbrester K. (2011). Integrated reportingin the cloud. Two disruptive ideas combined. IESE insightissue 8 first quarter 2011.

European parliament (2012). Report on corporate socialresponsibility: accountable, transparent and responsiblebusiness behaviour and sustainable growth(2012/2098(INI)).

European parliament (2014). European directive on disclo-sure of non-fiancial and diversity information adopted bythe European parliament on April 15, 2014. amends Direc-tive 2013/34/EU.

FSB (2013). Principles for an effective risk appetite frame-work. The Financial stability board. 18 November 2013.

36© Copyright 2015

BIBLIOGRAPHY

GRI (2013). G4 Sustainibility Reporting Guidelines. Implementation guidance. Global Reporting Initiative.266 p.

GRI (2013). The sustainability content of integrated reports – a survey of pioneers.

Hanks J. and Gardiner L (2012). Integrated Reporting: Lessons from the South African Experience. WorldBank, Washington, DC. 16 p.

IIA France (2008). Guide d’audit du développement durable. Comment auditer la stratégie et les pra-tiques de développement durable ? Institut Français de l’Audit et du Contrôle Internes (IFACI). 150 p.

IIA Spain (2013). Marco de relaciones de Auditoria interna con otras functiones de asuguramentio. Guiapratica. 37 p.

IIA UK & Ireland (2014). Integrated reporting. IIA UK & Ireland Magazine March April 2014, p3; 18-21.

KPMG (2014). The KPMG survey of business reporting. Better Business Report. 48 p.

Meggeneder G. (2014). Auditing integrated reporting. IIA Conference. July 2014.

Nefedova A. (2014). Auditing sustainability: A long-term view. IIA Conference. July 2014.

Sustainability Accounting Standards Board (SASB). Sector-specific sustainability standards.http://www.sasb.org/standards/status-standards/

The IIA (2013a). International Professional Practice Framework (IPPF). Includes the definition, the codeof ethics, the standards, practice advisories, practice guides and position papers.

The IIA (2013b). Integrated reporting and the emerging role of internal auditing. Flash alert. IIA AuditExecutive Center.

The IIA (2014). Proposed enhancements to International Professional Practices Framework (IPPF). TheInstitute of Internal Auditors. 26 p.

The IIRC (2014). Assurance on : an exploration of issues. 40 p.

The IIRC (2014). An introduction to the discussion. 8 p.

The IIRC (2014). Realizing the benefits: The impact of Integrated Reporting. 32 p.

The IIRC (2013). The integrated reporting Framework. 37 p.

The IIRC (2011). Discussion Paper. Towards Integrated Reporting. 17 p.

The IIRC (2002). Understanding transformation: Building the business case for Integrated Reporting.30 p.

Van Staden, C. and Wild, S. (2013). Integrated Reporting – Initial Analysis of Early Reporters: an InstitutionalTheory Approach. Paper presented at the 3rd Sustainability Accounting Research Symposium, Universityof Canterbury. August 30, 2013.

Réal

isat

ion

:

Eb

zone

Com

mun

icat

ion

(ww

w.e

bzon

e.fr

)

http://www.ebzone.fr

ContentsINTERNAL AUDIT VALUE PROPOSITIONExecutive SummaryFrequent questions about Integrated Reporting ()Briefing for board members and senior management

A GUIDE FOR INTERNAL AUDIT AND RISK PRACTICTIONERS fundamental concepts and principles fundamental concepts guiding principles1. Strategy and connectivity2. Significance and accessibility3. Soundness and fairness

Internal audit roles around the content elementsContext and structures for value creation1. Organizational overview and external environment2. Governance3. Business model

Goals and outcomes monitoring1. Strategy and resource allocation2. Performance

Dealing with the effects of uncertainty1. Risks and opportunities2. Outlook

Appendices1. Task force objectives and approach2. The fan: several roles for internal audit3. Examples of initiatives and internal audit roles

Bibliography

Documents

ENHANCING INTEGRATED REPORTING€¦ · ronment, internal audit can play several roles depending on the maturity of the reporting processes and on the road map of the organization