The management of Commercial Bank of Ceylon PLC (“the Bank”) engaged us to provide an independent assurance on the following elements of its Integrated Annual Report for the year ended December 31, 2022 (“the Report”).
We perform our procedures to provide reasonable and limited assurance in accordance with Sri Lanka Standard on Assurance Engagements (SLSAE 3000) (Revised): ‘Assurance Engagements Other than Audits or Reviews of Historical Financial Information’.
The criteria applied for this assurance engagement:
Our engagement provides limited assurance as well as reasonable assurance. A limited assurance engagement is substantially less in scope than a reasonable assurance engagement conducted in accordance with SLSAE-3000 (Revised) and consequently does not enable to obtain assurance that we would become aware of all significant matters that might be identified in a reasonable assurance engagement.
The management of the Bank is responsible for selecting the criteria, and for the preparation and presentation and self-declaration of the information contained in the Report in accordance with the given criteria, in all material respects. This responsibility includes establishing and maintaining internal controls, maintaining adequate records and making estimates that are relevant to the preparation of the information, such that it is free from material misstatement, whether due to fraud or error.
Our responsibility is to express a conclusion as to whether we have become aware of any matter that causes us to believe that the Report is not prepared in accordance with the given criteria. This Report is made solely to the Bank in accordance with our engagement letter dated February 20, 2023. We disclaim any assumption of responsibility for any reliance on this Report to any person other than the Bank or for any purpose other than that for which it was prepared. In conducting our engagement, we have complied with the independence requirements of the Code of Ethics for Professional Accountants issued by CA Sri Lanka, EY also applies International Standard on Quality Control 1, Quality Control for Firms that Perform Audits and Reviews of Financial Statements, and Other Assurance and Related Services Engagements, and accordingly maintains a comprehensive system of quality control including documented policies and procedures regarding compliance with ethical requirements, professional standards, and applicable legal and regulatory requirements.
We planned and performed our procedures to obtain the information and explanations considered necessary to provide sufficient evidence to support our assurance conclusions. We performed such other procedures as we considered necessary in the circumstances. Key assurance procedures included:
Although we considered the effectiveness of management’s internal controls when determining the nature and extent of our procedures, our assurance engagement was not designed to provide assurance on internal controls. Our procedures did not include testing controls or performing procedures relating to checking aggregation or calculation of data within IT systems.
Social, Natural and Intellectual capital management data/information are subject to inherent limitations given their nature and the methods used for determining, calculating and estimating such data.
We also do not provide any assurance on the assumptions and achievability of prospective information presented in the Report.
Based on our procedures and the evidence obtained, we conclude that:
Colombo
February 24, 2023
The management of Commercial Bank of Ceylon PLC (“the Bank”) engaged us to provide an independent assurance on the following elements of its Integrated Annual Report for the year ended December 31, 2022 (“the Report”).
We perform our procedures to provide reasonable and limited assurance in accordance with Sri Lanka Standard on Assurance Engagements (SLSAE 3000) (Revised): ‘Assurance Engagements Other than Audits or Reviews of Historical Financial Information’.
The capital management criteria used for this limited assurance engagement are based on the Guiding Principles and Content Elements given in the IFRS Foundation/ International Integrated Reporting Council (IIRC)’s Integrated Reporting Framework (<IR> Framework).
Our engagement provides limited assurance as well as reasonable assurance. A limited assurance engagement is substantially less in scope than a reasonable assurance engagement conducted in accordance with ISAE-3000 (Revised) and consequently does not enable to obtain assurance that we would become aware of all significant matters that might be identified in a reasonable assurance engagement.
The management of the Bank is responsible for the preparation and presentation and self-declaration of the information and statement contained within the Report, and for maintaining adequate records and internal controls that are designed to support the Integrated Reporting process under the Integrated Reporting Framework (<IR> Framework).
Our responsibility is to express a conclusion as to whether we have become aware of any matter that causes us to believe that the Report is not prepared in accordance with the Guiding Principles and Content Elements given in the Integrated Reporting Framework (<IR> Framework). This report is made solely to the Bank in accordance with our engagement letter dated February 20, 2023. We disclaim any assumption of responsibility for any reliance on this report to any person other than the Bank or for any purpose other than that for which it was prepared. In conducting our engagement, we have complied with the independence requirements of the Code of Ethics for Professional Accountants issued by CA Sri Lanka, EY also applies International Standard on Quality Control 1, Quality Control for Firms that Perform Audits and Reviews of Financial Statements, and Other Assurance and Related Services Engagements, and accordingly maintains a comprehensive system of quality control including documented policies and procedures regarding compliance with ethical requirements, professional standards, and applicable legal and regulatory requirements.
We planned and performed our procedures to obtain the information and explanations considered necessary to provide sufficient evidence to support our assurance conclusions. We performed such other procedures as we considered necessary in the circumstances.
Key assurance procedures included:
Although we considered the effectiveness of management’s internal controls when determining the nature and extent of our procedures, our assurance engagement was not designed to provide assurance on internal controls. Our procedures did not include testing controls or performing procedures relating to checking aggregation or calculation of data within IT systems.
Social, Natural and Intellectual capital management data/information are subject to inherent limitations given their nature and the methods used for determining, calculating and estimating such data.
We also do not provide any assurance on the assumptions and achievability of prospective information presented in the Report.
Based on our procedures and the evidence obtained, we conclude that:
Colombo
February 24, 2023
DNV as represented by DNV Business Assurance Lanka (Private) Limited (‘DNV’) was engaged by management of Commercial Bank of Ceylon PLC (‘Commercial Bank’ or ‘the Bank’, Company Registration Number PQ116) to undertake an independent assurance of the qualitative and quantitative non-financial information (sustainability performance) presented in the Bank’s Annual Report 2022 (‘the Report’) in its printed format.
This Report is prepared based on the Guiding Principles and Content Elements of the International <IR> Framework (January 2021, the ‘<IR> Framework’) of the International Integrated Reporting Council (‘IIRC’) and the Global Reporting Initiative’s (GRI’s) Sustainability Reporting Standards (‘GRI Standards 2021’) to bring out the various Content Elements of the <IR> Framework and performance trends related to identified material topics. The intended user of this Assurance Statement is the management of the Bank.
We performed a Type 2 Moderate Level of assurance using AccountAbility’s AA1000 Assurance Standard v3 (August 2020, ‘AA1000AS v3’) and DNV’s assurance methodology VeriSustainTM1, which is based on our professional experience, international assurance best practices including International Standard on Assurance Engagements 3000 (ISAE 3000) Revised* and the GRI’s Principles for Defining Report Content and Quality. Our assurance engagement was planned and carried out during February-March 2023 for the reported performance indicators during the reporting period January 01, 2022 to December 31, 2022.
We planned and performed our work to obtain the evidence we considered necessary to provide a basis for our assurance opinion, and our process did not involve engagement with external stakeholders. In doing so, we evaluated the qualitative and quantitative disclosures presented in the Report using the Guiding Principles of the <IR> Framework, together with the Bank’s procedures and protocols for how the non-financial performance was measured, recorded and reported.
The reporting topic boundary of sustainability/non-financial performance is as set out in the Report in the section ‘Basis of Preparation’ and is based on internal and external materiality assessment covering Commercial Bank’s banking and associated operations in Sri Lanka. The Report excludes performance data and information related to the activities of Commercial Bank’s seven subsidiaries – Commercial Development Co. PLC, CBC Tech Solutions Ltd., CBC Finance Ltd., Commex Sri Lanka S.R.L Italy, Commercial Bank of Maldives (Private) Limited, CBC Myanmar Microfinance Company Limited and Commercial Insurance Brokers (Pvt.) Ltd., and the operations of its associate, Equity Investments Lanka Ltd. as the results of their operations are not significant (<1 % revenue) compared to the overall results of the Bank.
The Management team of the Bank have the sole accountability for the preparation of the Report and are responsible for the information disclosed in the Report as well as the processes for collecting, analysing and reporting the information presented in the Report. In performing the assurance work, our responsibility is to the management of the Bank; however, this statement represents our independent opinion and is intended to inform the outcome of our assurance to the stakeholders of the Bank.
DNV ’s assurance engagements are based on the assumption that the data and information provided by the client to us as part of our review have been provided in good faith and free from any misstatements. DNV expressly disclaims any liability or co-responsibility for any decision a person or an entity may make based on this Assurance Statement.
Our scope of work focussed on verification of non-financial disclosures only and excluded verification of the reported data on financial performance of the Bank, as financial disclosures and data has been subject to a separate independent statutory audit process.
We planned and performed our work to obtain the evidence considered necessary to provide a basis for our assurance opinion, and as part of the assurance engagement, a multi-disciplinary team of sustainability and assurance specialists conducted remote assessments and interactions with key internal stakeholders at the Bank’s Head Office and operational branches of the Bank in Sri Lanka based on DNV’s sampling plan. We adopted a risk-based approach, that is, we concentrated our remote verification efforts on the issues of high material relevance to the Bank and its key stakeholders. We undertook the following activities:
During the assurance process, we did not come across limitations to the scope of the agreed assurance engagement.
On the basis of the assurance work undertaken, nothing has come to our attention that causes us to believe that the Report does not properly describe Commercial Bank of Ceylon PLC’s adherence to the criteria of reporting (Guiding Principles and Content Elements) related to the <IR> Framework, representation of the material topics, business model, disclosures on value creation through six(6) identified capitals, related strategies and management approach, and chosen topic specific GRI Standards related to identified material topics. Without affecting our assurance opinion, we also provide the following observations.
People should have a say in the decisions that impact them.
We reviewed the application of the principle of Inclusivity i.e. the process of stakeholder identification and engagement including effectiveness of the review process in identifying, engaging and responding to key sustainability concerns of significant stakeholders such as employees, customers, investors, regulators and society. The Bank has ongoing processes for stakeholder engagement to identify critical and emerging issues based on the changes in external environment through its documented stakeholder engagement process, however the stakeholder engagement process could be further strengthened to collect inputs, ideas and suggestions through structured customer feedback mechanisms on a proactive basis.
Nothing has come to our attention to suggest that the Report does not meet the requirements related to the Principle of Inclusivity.
Decision makers should identify and be clear about the sustainability topics that matter
The Report brings out the application of the Materiality principle of the <IR> Framework to arrive at significant material topics for the organisation considering its nature of business. As part of assurance, we reviewed the process of materiality assessment of the process of revalidation of materiality based on inputs from its key stakeholders.
Nothing has come to our attention to suggest that the Report does not meet the requirements related to the Principle of Materiality.
Organisations should act transparently on material sustainability topics and their related impacts
The key stakeholder concerns and the Bank’s responses to these concerns are fairly responded to within the Report through disclosures such as Bank’s business model, policies, management systems, governance mechanisms, disclosures on management approach. However, the bank can focus more disclosing the Bank’s short, medium, and long-term goals with respect to identified material topics in future reporting periods.
Nothing has come to our attention to suggest that the Report does not meet the requirements related to the Principle of Responsiveness.
Organisations should monitor, measure, and be accountable for how their actions affect their broader ecosystems
The Report brings out the Bank’s metrics such as customer centricity, prudent growth, operational excellence, innovation etc. and management processes established for monitoring, measurement, and evaluation of key non-financial impacts on its internal and external stakeholders. The Report also describes both positive and negative impacts during the reporting period and related approaches to mitigate risks if any, to constantly create and change value for the Bank and its key stakeholders.
Nothing has come to our attention to suggest that the Report does not meet the requirements related to the Principle of Impact.
We consider the methodology and process for gathering information developed by Commercial Bank for its non-financial/sustainability performance reporting to be appropriate, and the qualitative and quantitative data included in the Report was found to be identifiable and traceable; the personnel responsible were able to demonstrate the origin and interpretation of the data and its reliability. We observed that the Report presents a faithful description of the reported sustainability activities and goals achieved for the reporting period.
The accuracy and comparability of information presented in the report, as well as the quality of underlying data management systems
The Report brings out Commercial Bank’s non-financial performance for identified material matters through chosen GRI Topic Specific Standards. The robustness of the data management and aggregation systems was evaluated and verified through our remote assessments at the Head Office and were found to be fairly accurate and reliable. Some of the data inaccuracies identified during the verification process were found to be attributable to transcription, interpretation and aggregation errors and these errors have been corrected.
Nothing has come to our attention to suggest that the Report does not meet the requirements related to the Principle of Reliability.
How much of all the information that has been identified as material to the organisation and its stakeholders is reported
The Report has brought out the Content Elements, Guiding Principles and value creation through its six (6) identified capitals, its business model, strategies and management approach disclosures in line with the <IR> Framework and its key requirements as well as non-financial performance related to material topics through chosen GRI Standards of entities within the chosen reporting boundary considering the Bank’s sphere of control and influence.
Nothing has come to our attention to suggest that the Report does not meet the requirements related to the Principle of Completeness.
The extent to which a report provides a balanced account of an organisation’s performance, delivered in a neutral tone
The Report brings out the Bank’s challenges, concerns related to key stakeholders such as employees, customers, investors, regulators and society and responses to challenges during the reporting period in a neutral tone in terms of content and presentation.
Nothing has come to our attention to suggest that the Report does not meet the requirements related to the Principle of Neutrality.
DNV applies its own management standards and compliance policies for quality control, in accordance with ISO IEC 17021:2015 - Conformity Assessment Requirements for bodies providing audit and certification of management systems, and accordingly maintains a comprehensive system of quality control including documented policies and procedures regarding compliance with ethical requirements, professional standards and applicable legal and regulatory requirements.
We have complied with the DNV Code of Conduct2 during the assurance engagement and maintain independence where required by relevant ethical requirements including the AA1000AS v3 Code of Practice. This engagement work was carried out by an independent team of sustainability assurance professionals. DNV was not involved in the preparation of any statements or data included in the Report except for this Assurance Statement and Management Report. DNV maintains complete impartiality toward stakeholders interviewed during the assurance process. DNV did not provide any services to Commercial Bank and its subsidiaries in the scope of assurance during 2022-23 that could compromise the independence or impartiality of our work.
For and on behalf of DNV AS
Colombo, Sri Lanka
March 01, 2023
Tapan Kumar Panda
Lead Verifier,
DNV Business Assurance India Private Limited, India.
Prakash Tikare
Country Manager- India & Sri Lanka
DNV Business Assurance India Private Limited, India.
Bhargav Lankalapalli
Technical Reviewer
DNV Business Assurance India Private Limited, India.
DNV Business Assurance Lanka (Private) Limited is part of DNV – Business Assurance, a global provider of certification, verification, assessment and training services, helping customers to build sustainable business performance. www.dnv.com
1 The VeriSustain protocol is available on request from www.dnv.com .The protocol is based on our professional experience, international assurance best practice including International Standard on Assurance Engagements 3000 (ISAE 3000) Revised (Assurance Engagements other than Audits or Reviews of Historical Financial Information) and the Global Reporting Initiative’s (GRI’s) Principles for Defining Report Content and Quality.
Project No.: PRJN-508793-2023-AST-LKA