Summary
The EITI Standard seeks to ensure a credible EITI reporting process that produces reliable data. While data quality issues are relevant to all aspect of EITI implementation,HideThe EITI Requirements related to data assurance refers to the financial data disclosed in accordance with Requirement 4. However, Validation also examines any MSG discussions related to ensuring that the information disclosed in accordance with Requirements 2, 3, 5 and 6 are reliable, and whether there are any reliability gaps in the information provided (see the EITI Validation Guide). the EITI Standard puts a particular emphasis on whether the data on company payments and government revenues (within the scope of EITI reporting) are subject to credible, independent audit, applying international auditing standards. To achieve this, the EITI seeks to build on existing audit and assurance systems in government and industry, and to promote adherence to international practice and standards. In countries with weak audit and assurance systems (in government and/or industry), EITI Reporting can play a key role in identifying these issues, encouraging reforms and monitoring progress. In countries with strong audit and assurance systems, the EITI Reporting procedures should not duplicate existing internal controls or impose time-consuming reporting requirements. The detailed requirements are set out in Requirement 4.9 and in the standardised Terms of Reference for Independent Administrators.
As a starting point, the EITI requires an assessment of whether company payments and government revenues are subject to credible, independent audits, applying international auditing standards (requirement 4.9aHideWhere this assessment concludes that there is: (i) routine disclosure of the data required by the EITI Standard in requisite detail, and (ii) that the financial data is subject to credible, independent audit, applying international standards, the multi-stakeholder group may seek Board approval to mainstream EITI implementation. There are separate guidance materials for the mainstreaming procedure.) . This assessment has two functions. First, in many countries, this assessment has identified weaknesses in audit and assurance praxis, and has led MSGs to make recommendations to strengthen this work. The adoption of these recommendations and overall progress in strengthening audit and assurance systems can thus be tracked through successive EITI Reports. Second, the assessment informs MSG deliberations on ensuring that the EITI Reporting process produces reliable data.
The standardised Terms of Reference for Independent Administrators include detailed provisions addressing data quality and assurance that must be comprehensively addressed. In many cases, the Independent Administrator will propose quality assurance procedures for the MSG’s review and approval. The decisions to be made regarding data quality and assurance require careful attention from the MSG. These deliberations should be well documented, including the options considered and the rationale for the agreed procedure. Insufficient attention to and documentation of these aspects has been a common cause of non-compliance.
This note provides guidance to multi-stakeholder groups (MSGs) on meeting these requirements. It suggest four key steps: (1) review audit and assurance practices; (2) agree on assurances to be provided by reporting entities to the Independent Administrator; (3) document the MSG’s deliberations; and (4) assess compliance with quality assurance procedures and the materiality of any omissions. The final section (5) addresses the Validation of data quality and assurance provisions.
How to implement Requirement 4.9
Step 1: Review audit and assurance practices
The EITI Standard (Requirement 4.9) seeks to build on existing audit and assurance systems in government and industry and to promote adherence to international best practice. The template ToRs for Independent Administrators (Section 1.2.3) require an assessment of audit and assurance systems in government and industry and uses this to inform the design of the EITI reporting processHideThis procedure is not new. It was explicitly required as per Requirement 5.2.b of the EITI Standard (2013) and has now been incorporated into the terms of reference for Independent Administrators (Section 1.2.3) available here . It is a requirement in section 4.2.f of the template ToRs for IAs that EITI reporting documents whether all participating companies and government entities had their financial statements audited in the financial year(s) covered by the EITI Report, with any gaps or weaknesses disclosed. This provides essential contextual information about data reliability. In weak audit and assurance systems (both public and private), the design of EITI quality assurance procedures can help strengthen government systems and serve as a diagnostic tool for reforms. In countries with strong systems (such as Norway, Figure 3), this avoids duplicating assurance procedures, and recognises and reinforce adherence to best practice.
Review of requirements/rules: The first step is to consider the relevant legislation, regulations and institutions responsible for overseeing the audit of reporting government entities and companies. Responsibility for auditing public sector accounts generally rests with an independent Office of the Auditor General (or Cours des Comptes in Francophone countries). There are typically two types of audit regimes for privately-held extractives companies. Companies listed on stock exchanges are typically required to publish audited financial statements, usually accessible online. Rules for privately-held companies differ according to country, yet most jurisdictions require external audits for companies above a certain turnover threshold. Auditing procedures for state-owned enterprises also vary: in countries where the SOE has been corporatized they tend to be audited by external auditors; in others the State’s Auditor General often has jurisdiction as in the example of Myanmar in Figure 1.
Guiding questions:
- Do laws and regulations specify that public-sector accounts (government ministries, independent regulatory agencies, state-owned enterprises) be audited?
- Which institution is responsible for auditing government entities involved in EITI reporting? Are state-owned enterprises audited by the same agency as government entities, or by external auditors?
- What are the legal and regulatory requirements for privately-owned companies? What are the requirements for companies listed on a stock exchange?
- What is the frequency of required audits, for both government entities and companies?
- Is public disclosure of the audit reports required? If so, where?
- How do national standards compare to international best practice?
- What is the basis (cash-based or accrual-based) for audited accounts of government entities and extractives companies? Is it the same as that used for EITI reporting (typically, but not always, cash-based)?
- Are any reforms related to auditing standards planned or underway?
Assessment of practice: The second step is to assess actual practice compared to the legal requirements. In a number of implementing countries (e.g., the Democratic Republic of Congo (Figure 2), Mauritania, Senegal), the Auditor General has built up arrears of several years for public sector audits and had not audited the accounts for reporting government entities for the year under review. Similarly, many of the companies that report in EITI implementing countries do not have audited financial statements. The MSG should consider whether these practices are in line with legislative requirements, an assessment that will be useful in designing the quality assurance procedures.
Guiding questions:
- Have the participating companies and government entities had their financial statements audited in the financial year(s) covered by EITI reporting? (Discrepancies in practice could form the basis for valuable recommendations.)
- Are all of the reporting entities’ financial statements and audit reports publicly accessible? If so where?
- What are the other major deviations from the legislative requirements for auditing procedures in both government entities and companies?
- What has been the impact of any recent reform related to auditing on actual practice?
- How efficient is the current auditing practices for both government entities and companies? Could any changes to current practices improve efficiency?
A concise explanation of these rules and requirements, including links to other publically available information, is often a useful feature in EITI Reports. It is recommended that the EITI Report includes a summary of the findings and (where appropriate) recommendations for reforms to address these issues. Otherwise, the MSG should ensure that the results of the review of audit and assurance practices are publicly available elsewhere.
Step 2: Agree on assurances to be provided by reporting entities to the Independent Administrator
Based on the earlier assessment of auditing and assurance legislative requirements and actual practice, the MSG is advised to explore different options for quality assurance in light of whether all reporting entities have had their financial statement audited for the year(s) under review. The proposed quality assurance procedures should be outlined in the Terms of Reference for Independent Administrators and confirmed at the inception phase, in line with Section 1.3.3 of the template ToRs for the IA. As set out on the ToRs: “The Independent Administrator should exercise judgement and apply appropriate international professional standards in developing a procedure that provide a sufficient basis for a comprehensive and reliable EITI Report.” So while the MSG can propose an approach to quality assurance for reporting entities, the Independent Administrator is not required to adopt the proposal if it is deemed insufficient to meet appropriate international professional standards.
The MSG should also decide on clear lines of responsibility for compiling the contextual information in EITI reporting, ensuring appropriate and consistent sourcing/attribution of all statistics included. It should also consider provisions for safeguarding the confidentiality of EITI information pre-reconciliation, together with the Independent Administrator, in line with Section 1.2.6 of the ToRs for the Independent Administrator, which requires that the inception report “confirms the reporting templates, as well as any procedures or provisions relating to safeguarding confidential information”.
A number of examples of quality assurances are included in the standard Terms of Reference for Independent Administrators on the EITI website. Depending on auditing practices and the level of data reliability sought, the Independent Administrator, with approval from the MSG, may consider requiring from reporting entities any or all of the following:
-
“That a senior company or government official from each reporting entity signs off on the completed reporting form as a complete and accurate record.
-
That the companies attach a confirmation letter from their external auditor that confirms that the information they have submitted is comprehensive and consistent with their audited financial statements. The multi-stakeholder group may wish to phase in any such procedure so that the confirmation letter may be integrated into the usual work programme of the company’s auditor. Where some companies are not required by law to have an external auditor and therefore cannot provide such assurance, this should be clearly identified, and any reforms that are planned or underway should be noted.
-
Where relevant and practicable, government reporting entities may be requested to obtain a certification of the accuracy of the government’s disclosures from their external auditor or equivalent. “
a. Assurances from reporting government entities
In some implementing countries, where the Auditor General has fallen behind in its statutory duties, the MSG has worked with the Finance Ministry’s audit department (or Inspection Générale des Finances in Francophone countries) to certify EITI reporting by government entities. See for example the Democratic Republic of Congo in Figure 5 below. However, the lack of the constitutional autonomy of the Auditor General’s Office means such measures should by nature be temporary, pending a return to statutory operations of the Auditor General’s office. The MSG may wish to consider how the EITI process can help steer and support such capacity development. It is also advisable for the MSG to maintain close contact with the Auditor General’s office, reflected in the example of Mongolia in Figure 4.
The MSG is also advised to note the accounting bases on which annual audits and EITI reporting are respectively based. If for instance a company is audited on an accrual basis but EITI reporting is on a cash basis, then the person certifying the reporting templates is certifying that the cash-based reporting is consistent with the company’s accrual-based accounts.
b. Assurances from reporting companies
In light of the findings from its assessment of auditing practices, the Independent Administrator should propose for MSG review and approval appropriate assurance procedures for company and government disclosures. In developing assurance procedures, the Independent Administrator and MSG should consider whether companies audited financial statements are compiled on an accrual or cash basis. For companies whose financial statements for the period under review have not been audited externally (to international standards), the Independent Administrator and MSG will need to agree appropriate assurance procedures that ensure the credibility of the data. In some cases, a “two-tier approach” might be considered. For companies whose financial statements were audited in the year(s) under review, the MSG may consider more flexibility in deciding whether or not to require, for example, certification of EITI reporting templates from the external auditors.
Assurance procedures for state-owned enterprises’ reporting vary by country, depending on whether each entity is audited by the State’s Auditor General or by a private external auditor. The Independent Administrator should propose an approach for MSG review and approval, For example, Azerbaijan’s 2014 EITI Report includes a risk-based approach spot audit checks of specific payments across reporting entities (Figure 9 below).
Assurance procedures vary between implementing countries, from sign-off from a senior company official in the Philippines, where all reporting companies’ financial statements were audited for the year under review (Figure 7), to Mali where a sign-off from companies’ external auditors is required (Figure 8).
Step 3: Document the assessment of auditing processes, options considered when developing quality assurance procedures, and the rationale for agreed assurances
MSG discussions about auditing processes and EITI quality assurance procedures should be clearly documented in the minutes from MSG minutes (requirement 1.4.b(viii)), reflected in the Terms of reference for the Independent Administrator (Requirement 4.9.b.iii), and addressed in the inception report, draft report and final report from the Independent Administrator as per the ToRs. An example is provided from the United Kingdom in Figure 10.
Step 4: Assess compliance with quality assurance procedures and the materiality of any omissions
Following data collection, the Independent Administrator should provide:
“an assessment of whether all companies and government entities within the agreed scope of the EITI reporting process provided the requested information. Any gaps or weaknesses in reporting to the Independent Administrator must be disclosed in the EITI Report, including naming any entities that failed to comply with the agreed procedures, and an assessment of whether this is likely to have had material impact on the comprehensiveness of the report”
(Section 4.2e of the ToRs for the Independent Administrator).
Furthermore, one of the central objectives of the EITI reporting process is for the Independent Administrator to provide an assessment “on the comprehensiveness and reliability of the (financial) data presented, including an informative summary of the work performed by the Independent Administrator and the limitations of the assessment provided” (Section 4.2c of the ToRs for the Independent Administrator).
The MSG is also advised to ensure that a summary of the work on data reliability performed by the Independent Administrator is included in the EITI Report, clearly noting the limitations of the assessment provided.
The MSG and Independent Administrator may wish to draw on the review of legislative auditing requirements and the assessment of practice and practical experience to formulate recommendations on these matters. These may range from recommendations narrowly focused on improving the quality of EITI data to recommendations focussed on wider reforms to audit and assurance procedures.
Where recommendations related to data quality and assurance have been included in previous EITI Reports, the MSG should track progress in following up and implementing these recommendations as part of the Annual Progress Report (Requirement 7.4.a.iii).
Step 5: Validation of data quality and assurance procedures
EITI implementing countries are required to meet minimum data reliability requirements during Validation, in line with Requirement 8.3.c.i of the 2016 EITI Standard: “Where a country achieves less than meaningful progress on data quality (4.9) and data comprehensiveness (4.1), the MSG will be required to disclose a time-bound action plans for addressing weaknesses in data reliability and comprehensiveness. Progress with implementation of this plan will be taken into account in subsequent validations.”
This provision further reinforces the importance of diligent attention to these issues throughout the reporting process.