Globally, there has been a surge in the amount and
variety of information reported to investors outside of
financial statements.

Nonfinancial information involves issues related to:
sustainability; corporate responsibility; environmental, social
and governance (ESG); ethics; human capital; and environment,
health and safety (EH&S).

Although described as “nonfinancial,” the information involved
is typically indirectly correlated with an organization’s financial
performance and outlook, especially when assessed over time.
Moreover, nonfinancial performance also impacts tangible
asset value and can be tied to intangible assets, including brand
reputation, intellectual capital and an organization’s market

Operational management functions serve as the first line of
defense for nonfinancial information performance management:
operations typically executes nonfinancial information-related
controls, and management oversees and approves them.
Additionally, adequate managerial and supervisory reviews
should be in place to ensure compliance with standards and
appropriate process execution. Two main concepts emerge when
discussing internal controls and how they apply to nonfinancial
information: the control environment and control activities.
According to the Committee of Sponsoring Organizations of the
Treadway Commission (COSO):
“The control environment sets the tone of an organization,
influencing the control consciousness of its people. It is the
foundation for all other components of internal control,
providing discipline and structure. Control environment factors
include the integrity, ethical values and competence of the
entity’s people; management’s philosophy and operating style;
the way management assigns authority and responsibility,
and organizes and develops its people; and the attention and
direction provided by the board of directors.
Control activities are the policies and procedures that help
ensure management directives are carried out. They help
ensure that necessary actions are taken to address risks to
achievement of the entity’s objectives. Control activities occur
throughout the organization, at all levels and in all functions.
They include a range of activities as diverse as approvals,
authorizations, verifications, reconciliations, reviews of
operating performance, security of assets and segregation
of duties.”11
For nonfinancial information data management, typically
controls include segregation of duties in reporting and
management review analytics (through performance dashboards
and automated data validations).
The value of nonfinancial information cannot be unlocked unless
the data is made available to the users, who can then analyze it
and support performance improvements. Today, front-runners
in sustainability often create performance dashboards to
provide transparency to the internal users of the information —
including operations and management. Such performance
dashboards allow users to benchmark the performance of their
manufacturing site to the company’s comparable operations and
identify correlations between production and consumption (e.g.,
energy usage, water usage and materials efficiency). In addition,
data can be tailored and analyzed for comparability and to
identify errors or inaccurate estimations in the data.

This report explores what value this information has for
investors, what could make it more reliable and what role
assurance can play in increasing confidence in it.
This includes non-GAAP financial measures and other
key performance indicators (e.g. organic sales growth),
as well as information on the environmental, social and
governance (ESG)-related risks and opportunities.
There is a clear appetite from investors for information
outside of the financial statements. The investors
interviewed said it gives important context to the financial
information and insight into the long-term viability of
the company.a
But investors can be skeptical about its
relevance and reliability. Over a series of interviews and
roundtables, investors explained the challenges they face
in using NFI – with many of these arising from
the numerous reporting frameworks and initiatives in
this area, the sheer volume of information reported
and the perceived lack of high-quality, consistent and
comparable information.

Overall, investors said that to increase their confidence
in NFI, they want to know if a company is identifying and
addressing risks, whether it has effective governance and
internal controls, if the methodology behind the metrics is
appropriate and has been applied consistently, if it can be
benchmarked with peers and whether its scenarios and
estimates are reliable.
To address this, there are actions that companies, data
aggregators, assurance providers, standard setters and
regulators can take or should consider to improve the
relevance and reliability of NFI.
Investors want companies to show how NFI is integrated
in their strategic decision-making and are looking for
material information to be underpinned by controls
and processes on a par with those used for financial
information. There is work for reporting and assurance
standard setters to do to enable an environment that
continues to support innovation in this growing area
– including providing greater clarity and comparability
on measurement protocols. Additionally, the investors
interviewed called for innovation by assurance providers
to increase their confidence in NFI

There is an increasing volume of corporate information
available outside of audited financial statements.
The relevance and reliability of this information is an
important issue for capital market participants.

*To what extent are investors able to use NFI effectively in
their decision-making?
• What can be done to improve the quality and relevance
of reporting on NFI?
• What role can assurance play, if any, in increasing
confidence in NFI?

The answer was almost unanimous: NFI is used for
investment decision-making.

NFI is needed for screening,valuation, and stewardship purposes to:
• Give context to financial information
•Understand corporate culture and governance
• Identify risks to delivering company strategy
•Understand the long-term sustainability of the
business model
• Identify opportunities
• Provide signals for divestment strategy

NFI helps provide context to the investor for a better
understanding of financial information and the overall
performance of the business. For some, it goes further
and supports baseline decisions for investment because
it provides information about the quality of the business
and its long-term viability, complementing the valuation

Non-GAAP financial and non-financial measures (such as
like-for-like sales, revenue per franchise and production
volumes) are widely used in valuation forecasts, whereas
other operational information on the ESG issues (such
as water usage and safety metrics) is included much less
ESG information, particularly environmental and social
metrics (except for carbon emissions), is seen by
investors as less mature than financial information.
Protocols or frameworks for their measurement and
disclosure have come into effect relatively recently and,
for some areas, are still evolving. Requirements and
practices for providing governance information have been
established for much longer. As a result, investors are
more familiar with and able to use this information.

Overwhelmingly, investors depend on their dialogue with
company management to assess how much they can
rely on the information provided. However, there was a
general view that, when the information is assured by an
independent third party, they can have more confidence
in the information, although it may not necessarily change
how they use it.

Investors are also looking for a balance between the
positive and negative, including adjustments to arrive at
non-GAAP financial measures. For example:
• Are they overly positive, telling only favorable news,
implying the omission of unfavorable news?
• Does the company only make one-off adjustments that
result in higher profits in each period?
• Are there inconsistencies in how disclosures are
presented year-on-year or between segments,
preventing negative information being disclosed?

Data analytics is an increasingly prominent discipline. Smart
analytics can reveal reporting errors, thereby supporting the
continuous improvements in a company’s journey to reliable
nonfinancial information. Smart analytics is based on business
rules that have been set to perform the analysis. Consider
a company with global operations that reports on energy
consumption and greenhouse gas and other emissions (i.e.,
NOx, organic emissions and SO2). The energy consumption types
involved range from oils and coals to gas and electricity. The
combustion of coal results in NOx content as a consequence
of the chemical content of coal. Therefore, sites that use coal
as an energy source also emit NOx. Smart data analytics (e.g.,
automated data validation controls) can be built to reveal sites
that use coal as an energy source but do not report on NOx
emissions, resulting in an error message. This is an example
of using automated data validation controls through smart
analytics to identify errors before they go up the chain of
command for review and/or external assurance. This is especially
powerful, as it provides full coverage of the data rather than a
simple data sample.

According to COSO:
“Every entity faces a variety of risks from external and
internal sources that must be assessed. A precondition to
risk assessment is establishment of objectives, linked at
different levels and internally consistent. Risk assessment is
the identification and analysis of relevant risks to achievement
of the objectives, forming a basis for determining how the
risks should be managed. Because economic, industry,
regulatory and operating conditions will continue to change,
mechanisms are needed to identify and deal with the special
risks associated with change.
Internal control systems need to be monitored — a process that
assesses the quality of the system’s performance over time.
This is accomplished through ongoing monitoring activities,
separate evaluations or a combination of the two. Ongoing
monitoring occurs in the course of operations. It includes
regular management and supervisory activities, and other
actions personnel take in performing their duties. The scope
and frequency of separate evaluations will depend primarily
on an assessment of risks and the effectiveness of ongoing
monitoring procedures. Internal control deficiencies should
be reported upstream, with serious matters reported to top
management and the board.”

The Institute of Internal Auditors (IIA) defines “internal auditing”
as “an independent, objective assurance and consulting activity
designed to add value and improve an organization’s operations”
that “helps an organization accomplish its objectives by bringing
a systematic, disciplined approach to evaluate and improve the
effectiveness of risk management, control, and governance
processes.”13 In practice, internal auditors perform audits to test
the effectiveness of nonfinancial information data management,
compliance with internal and external standards and definitions,
and the accuracy and completeness of the reported information
— all in an effort to manage key risks to the organization.
The IIA’s implementation guidance suggests: “The internal
audit activity must evaluate the adequacy and effectiveness
of controls in responding to risks within the organization’s
governance, operations, and information systems regarding the:
• Achievement of the organization’s strategic objectives
• Reliability and integrity of financial and
operational information
• Effectiveness and efficiency of operations and programs
• Safeguarding of assets
• Compliance with laws, regulations, policies, procedures,
and contracts”

s. Internal audit can play a critical role in the nonfinancial
information reporting and data management by:
1. Recommending improvements to controls for assuring
the accuracy and completeness of nonfinancial information.
2. Focusing on the disclosures.
3. Offering recommendations to expedite how nonfinancial
information is collected, aggregated and managed.
4. Providing recommendations regarding the types of
disclosures made (in external and internal reporting)
and whether the information is material to the organization.
5. Evaluating the information to ensure it is consistent with
the criteria defined by companies and with external reporting
6. Ensuring that the data management processes, controls
and data flows are documented appropriately.