Lene Bjørn Serpa discusses the role of assurance in strengthening internal controls. Interview by Vincent Huck
How does the fact that the information reported under CSRD will be audited impact preparation and compliance work?
Maersk has been getting limited assurance of our sustainability data for many years. For us, the initial requirement to have limited assurance is not in itself a major change. But we are, of course, also seeing this as an opportunity, as we prepare for the regulation, to also look to what would it require for us to have reasonable assurance for at least some of the most material KPIs?
Clearly, it is a change because there would be greater scrutiny for aiming for reasonable assurance, especially the control environment around the reporting processes and of course, of the numbers in themselves. It requires significantly more resources to be able to achieve reasonable assurance, not least I would say, out in the frontline of the organization where the data is coming in. This is a journey that we will be on, it will take some years before we're ready for that.
Beyond resources, what needs to be in place that is perhaps not in place today?
It's also about upskilling the organization. We already have our risk controls team in place. They have their expertise in financial reporting, they understand financial data but they do not necessarily understand ESG data, sustainability data. So, we have to work together with them to ensure that we're asking the right questions in our internal control. The controls we put in place have to be material to the actual risks.
You mentioned on the panel that limited assurance has helped internally to get to grips with this type of information and disclosures. Is it purely the fact that it is because it's something that is going to be publicly available and on which someone is going to give an opinion? Or there is more to it?
So, it's helped in several ways, in the sense that having external auditors along with us as part of the sustainability reporting process. In the past at least, when sustainability was not always considered core to the strategy of the company and this is not a Maersk specific thing, but I think a general problem in companies was that sustainability may have had that that sort of stereotypical view of 'here come the tree huggers and ask these questions which don't really matter'. But if you have the auditors along with you who ask credible questions and speak in a language which the organization understands, that simply helps that initial upskilling that's necessary for people to understand what is required.
And, when we are reporting on sustainability data, we also need to have that approach of scrutiny of ensuring the relevance, the completeness, the scope of the data, and all these requirements which are sort of second nature to a financial organization when it comes to looking at financial data. It's the same things you need to apply to working on non -financial data. That has been a strong change agent in improving the quality of our data.
During the CSRD trialogue one question was who should provide the assurance. From your point of view, what are the benefits of having the statutory auditor doing it? Would there be benefits in someone else doing it?
It's most beneficial to have the statutory auditor do it because that's what underpins the integration of financial reporting and sustainability reporting so we're just not considered as something completely different and sort of a strange bird on the side. So I do think that's important. However, I think it's also important that the auditors, as they take on that challenge, also need to understand and be upskilled in their approach to how they are working with sustainability data because it is different.
In some cases, it can be very difficult to quantify sustainability data, and then you should not expect to be able to go about the assurance process in the same way. Again, if you have internal controls, you need to ask different types of questions for ESG data versus financial data in the same way you need to ask different questions when you're looking at it from an audit perspective.
