Supplementary Information

Annex 6: Independent Assurance Reports


Annex 6.1: Independent Assurance Report to Commercial Bank of Ceylon PLC on Sustainability Reporting Criteria presented in the Integrated Annual Report 2022

EY

Independent Assurance Report to the Board of Directors of Commercial Bank of Ceylon PLC

Introduction and scope of the engagement

The management of Commercial Bank of Ceylon PLC (“the Bank”) engaged us to provide an independent assurance on the following elements of its Integrated Annual Report for the year ended December 31, 2022 (“the Report”).

  • Reasonable assurance on the information on financial performance as specified on pages 270 and 271, 329 to 335, and 430 of the Report.
  • Limited assurance on other information presented in the Report, prepared in accordance with the GRI Standards.

Basis of our work and level of assurance

We perform our procedures to provide reasonable and limited assurance in accordance with Sri Lanka Standard on Assurance Engagements (SLSAE 3000) (Revised): ‘Assurance Engagements Other than Audits or Reviews of Historical Financial Information’.

The criteria applied for this assurance engagement:

  • The Global Reporting Initiative's (GRI) Sustainability Reporting Guidelines, publicly available at GRI’s global website www.globalreporting.org.

Our engagement provides limited assurance as well as reasonable assurance. A limited assurance engagement is substantially less in scope than a reasonable assurance engagement conducted in accordance with SLSAE-3000 (Revised) and consequently does not enable to obtain assurance that we would become aware of all significant matters that might be identified in a reasonable assurance engagement.

Management of the Bank’s responsibility for the Report

The management of the Bank is responsible for selecting the criteria, and for the preparation and presentation and self-declaration of the information contained in the Report in accordance with the given criteria, in all material respects. This responsibility includes establishing and maintaining internal controls, maintaining adequate records and making estimates that are relevant to the preparation of the information, such that it is free from material misstatement, whether due to fraud or error.

Ernst & Young’s responsibilities

Our responsibility is to express a conclusion as to whether we have become aware of any matter that causes us to believe that the Report is not prepared in accordance with the given criteria. This Report is made solely to the Bank in accordance with our engagement letter dated February 20, 2023. We disclaim any assumption of responsibility for any reliance on this Report to any person other than the Bank or for any purpose other than that for which it was prepared. In conducting our engagement, we have complied with the independence requirements of the Code of Ethics for Professional Accountants issued by CA Sri Lanka, EY also applies International Standard on Quality Control 1, Quality Control for Firms that Perform Audits and Reviews of Financial Statements, and Other Assurance and Related Services Engagements, and accordingly maintains a comprehensive system of quality control including documented policies and procedures regarding compliance with ethical requirements, professional standards, and applicable legal and regulatory requirements.

Key Assurance Procedures

We planned and performed our procedures to obtain the information and explanations considered necessary to provide sufficient evidence to support our assurance conclusions. We performed such other procedures as we considered necessary in the circumstances. Key assurance procedures included:

  • Agreed the information on financial performance as disclosed on pages 270 and 271, 329 to 335, and 430 of the Report to audited financial statements
  • Validated the information presented and checked the calculations performed by the organisation through recalculation
  • Performed a comparison of the content given in the Report against the criteria given in the selected sustainability standards/frameworks.
  • Conducted interviews with relevant organisation’s personnel to understand the process for collection, analysis, aggregation and presentation of data. Interviews included selected key management personnel and relevant staff
  • Read the content presented in the Report for consistency with our overall knowledge obtained during the course of our assurance engagement and requested changes wherever required.
  • Provided guidance, recommendations and feedback on the improvement of the sustainability reporting indicators to improve the presentation standard.

Although we considered the effectiveness of management’s internal controls when determining the nature and extent of our procedures, our assurance engagement was not designed to provide assurance on internal controls. Our procedures did not include testing controls or performing procedures relating to checking aggregation or calculation of data within IT systems.

Limitations and considerations

Social, Natural and Intellectual capital management data/information are subject to inherent limitations given their nature and the methods used for determining, calculating and estimating such data.

We also do not provide any assurance on the assumptions and achievability of prospective information presented in the Report.

Conclusion

Based on our procedures and the evidence obtained, we conclude that:

  • The information on financial performance as specified on pages 270 and 271, 329 to 335, and 430 of the Report are properly derived from the audited financial statements for the year ended December 31, 2022.
  • Nothing has come to our attention that causes us to believe that the information presented in the Report are not fairly presented, in all material respects, in accordance with the relevant criteria.

EY Signature

Colombo
February 24, 2023

EY

Annex 6.2: Independent Assurance Report to Commercial Bank of Ceylon PLC on Integrated Reporting presented in the Annual Report 2022

EY

Independent Assurance Report to the Board of Directors of Commercial Bank of Ceylon PLC on the Integrated Annual Report – 2022

Introduction and scope of the engagement

The management of Commercial Bank of Ceylon PLC (“the Bank”) engaged us to provide an independent assurance on the following elements of its Integrated Annual Report for the year ended December 31, 2022 (“the Report”).

  • Reasonable assurance on the information on financial capital management as specified on pages 56 and 100 to 111 of
    the Report.
  • Limited assurance on other information on management of the capitals (other than financial capital), stakeholder engagement, business model, strategy, organisational overview & external environment outlook presented in the Report prepared in accordance with the Guiding Principles and Content Elements given in the IFRS Foundation/International Integrated Reporting Council (IIRC)’s Integrated Reporting Framework (<IR> Framework).

Basis of our work and level of assurance

We perform our procedures to provide reasonable and limited assurance in accordance with Sri Lanka Standard on Assurance Engagements (SLSAE 3000) (Revised): ‘Assurance Engagements Other than Audits or Reviews of Historical Financial Information’.

The capital management criteria used for this limited assurance engagement are based on the Guiding Principles and Content Elements given in the IFRS Foundation/ International Integrated Reporting Council (IIRC)’s Integrated Reporting Framework (<IR> Framework).

Our engagement provides limited assurance as well as reasonable assurance. A limited assurance engagement is substantially less in scope than a reasonable assurance engagement conducted in accordance with ISAE-3000 (Revised) and consequently does not enable to obtain assurance that we would become aware of all significant matters that might be identified in a reasonable assurance engagement.

Management of the Bank’s responsibility for the Report

The management of the Bank is responsible for the preparation and presentation and self-declaration of the information and statement contained within the Report, and for maintaining adequate records and internal controls that are designed to support the Integrated Reporting process under the Integrated Reporting Framework (<IR> Framework).

Ernst & Young’s responsibilities

Our responsibility is to express a conclusion as to whether we have become aware of any matter that causes us to believe that the Report is not prepared in accordance with the Guiding Principles and Content Elements given in the Integrated Reporting Framework (<IR> Framework). This report is made solely to the Bank in accordance with our engagement letter dated February 20, 2023. We disclaim any assumption of responsibility for any reliance on this report to any person other than the Bank or for any purpose other than that for which it was prepared. In conducting our engagement, we have complied with the independence requirements of the Code of Ethics for Professional Accountants issued by CA Sri Lanka, EY also applies International Standard on Quality Control 1, Quality Control for Firms that Perform Audits and Reviews of Financial Statements, and Other Assurance and Related Services Engagements, and accordingly maintains a comprehensive system of quality control including documented policies and procedures regarding compliance with ethical requirements, professional standards, and applicable legal and regulatory requirements.

Key Assurance Procedures

We planned and performed our procedures to obtain the information and explanations considered necessary to provide sufficient evidence to support our assurance conclusions. We performed such other procedures as we considered necessary in the circumstances.

Key assurance procedures included:

  • Performed a comparison of the content of the Integrated Annual Report against the Guiding Principles and Content Elements given in the Integrated Reporting Framework (<IR> Framework).
  • Checked whether the information contained in the Integrated Annual Report – Financial Capital element information has been properly derived from the audited financial statements.
  • Conducted interviews with the selected key management personnel and relevant staff and obtained an understanding of the internal controls, governance structure and reporting process relevant to the Integrated Report.
  • Obtained an understanding of the relevant internal policies and procedures developed, including those relevant to determining what matters most to the stakeholders, how the organisation creates value, the external environment, strategy, approaches to putting members first, governance and reporting.
  • Obtained an understanding of the description of the organisation’s strategy and how the organisation creates value, what matters most to the stakeholders and enquiring the management as to whether the description in the Integrated Report accurately reflects their understanding.
  • Checked the Board of Directors meeting minutes during the financial year to ensure consistency with the content of the Integrated Report.
  • Tested the relevant supporting evidence related to qualitative & quantitative disclosures within the Integrated Report against identified material aspects.
  • Read the Integrated Report in its entirety for consistency with our overall knowledge obtained during the assurance engagement.

Although we considered the effectiveness of management’s internal controls when determining the nature and extent of our procedures, our assurance engagement was not designed to provide assurance on internal controls. Our procedures did not include testing controls or performing procedures relating to checking aggregation or calculation of data within IT systems.

Limitations and considerations

Social, Natural and Intellectual capital management data/information are subject to inherent limitations given their nature and the methods used for determining, calculating and estimating such data.

We also do not provide any assurance on the assumptions and achievability of prospective information presented in the Report.

Conclusion

Based on our procedures and the evidence obtained, we conclude that:

  • The information on financial performance as specified on pages 56 and 100 to 111 of the Report are properly derived from the audited financial statements for the year ended December 31, 2022.
  • Nothing has come to our attention that causes us to believe that other information on stakeholder engagement, business model, organisation overview & external environment and outlook presented in the Report are not fairly presented, in all material respects, in accordance with the Integrated Annual Reporting practices and policies which are derived from the IFRS Foundation/International Integrated Reporting Council (IIRC)’s Integrated Reporting Framework (<IR> Framework).

EY Signature

Colombo
February 24, 2023

EY

Annex 6.3: Independent Assurance Statement on Non-Financial Reporting – DNV

DNV

Scope and Approach

DNV as represented by DNV Business Assurance Lanka (Private) Limited (‘DNV’) was engaged by management of Commercial Bank of Ceylon PLC (‘Commercial Bank’ or ‘the Bank’, Company Registration Number PQ116) to undertake an independent assurance of the qualitative and quantitative non-financial information (sustainability performance) presented in the Bank’s Annual Report 2022 (‘the Report’) in its printed format.

This Report is prepared based on the Guiding Principles and Content Elements of the International <IR> Framework (January 2021, the ‘<IR> Framework’) of the International Integrated Reporting Council (‘IIRC’) and the Global Reporting Initiative’s (GRI’s) Sustainability Reporting Standards (‘GRI Standards 2021’) to bring out the various Content Elements of the <IR> Framework and performance trends related to identified material topics. The intended user of this Assurance Statement is the management of the Bank.

We performed a Type 2 Moderate Level of assurance using AccountAbility’s AA1000 Assurance Standard v3 (August 2020, ‘AA1000AS v3’) and DNV’s assurance methodology VeriSustainTM1, which is based on our professional experience, international assurance best practices including International Standard on Assurance Engagements 3000 (ISAE 3000) Revised* and the GRI’s Principles for Defining Report Content and Quality. Our assurance engagement was planned and carried out during February-March 2023 for the reported performance indicators during the reporting period January 01, 2022 to December 31, 2022.

We planned and performed our work to obtain the evidence we considered necessary to provide a basis for our assurance opinion, and our process did not involve engagement with external stakeholders. In doing so, we evaluated the qualitative and quantitative disclosures presented in the Report using the Guiding Principles of the <IR> Framework, together with the Bank’s procedures and protocols for how the non-financial performance was measured, recorded and reported.

The reporting topic boundary of sustainability/non-financial performance is as set out in the Report in the section ‘Basis of Preparation’ and is based on internal and external materiality assessment covering Commercial Bank’s banking and associated operations in Sri Lanka. The Report excludes performance data and information related to the activities of Commercial Bank’s seven subsidiaries – Commercial Development Co. PLC, CBC Tech Solutions Ltd., CBC Finance Ltd., Commex Sri Lanka S.R.L Italy, Commercial Bank of Maldives (Private) Limited, CBC Myanmar Microfinance Company Limited and Commercial Insurance Brokers (Pvt.) Ltd., and the operations of its associate, Equity Investments Lanka Ltd. as the results of their operations are not significant (<1 % revenue) compared to the overall results of the Bank.

Responsibilities of the Management of Commercial Bank and of the Assurance Provider

The Management team of the Bank have the sole accountability for the preparation of the Report and are responsible for the information disclosed in the Report as well as the processes for collecting, analysing and reporting the information presented in the Report. In performing the assurance work, our responsibility is to the management of the Bank; however, this statement represents our independent opinion and is intended to inform the outcome of our assurance to the stakeholders of the Bank.

DNV ’s assurance engagements are based on the assumption that the data and information provided by the client to us as part of our review have been provided in good faith and free from any misstatements. DNV expressly disclaims any liability or co-responsibility for any decision a person or an entity may make based on this Assurance Statement.

Our scope of work focussed on verification of non-financial disclosures only and excluded verification of the reported data on financial performance of the Bank, as financial disclosures and data has been subject to a separate independent statutory audit process.

Basis of our Opinion

We planned and performed our work to obtain the evidence considered necessary to provide a basis for our assurance opinion, and as part of the assurance engagement, a multi-disciplinary team of sustainability and assurance specialists conducted remote assessments and interactions with key internal stakeholders at the Bank’s Head Office and operational branches of the Bank in Sri Lanka based on DNV’s sampling plan. We adopted a risk-based approach, that is, we concentrated our remote verification efforts on the issues of high material relevance to the Bank and its key stakeholders. We undertook the following activities:

  • Reviewed the Bank’s approach to addressing the Guiding Principles and Content Elements of the <IR> Framework, including stakeholder engagement and its materiality determination process.
  • Verified the value creation disclosures related to the capitals identified by the Bank (capitals of the <IR> Framework and Digital Capital) as well as claims made in the Report;
  • Assessed the robustness of the data management system, data accuracy, information flow and controls for the reported disclosures.
  • Examined and reviewed selected evidence including documents, data and other information made available by the Bank related to non-financial disclosures presented within the Report;
  • Conducted interviews with top and senior management team of the Bank and other representatives, including data owners and decision-makers from different divisions and functions of the Bank to validate the non-financial disclosures. We were free to choose interviewees and interviewed those with overall responsibility to deliver the Bank’s sustainability objectives.
  • Review of processes and systems for preparing site level sustainability/non-financial data and implementation of sustainability strategy through onsite and remote assessments and interviews with management teams. We were free to choose the senior management team to interaction
  • Performed sample-based reviews of the mechanisms for implementing the Bank’s sustainability related policies, as described in the Report;
  • Performed sample-based checks of the processes for generating, gathering and managing the quantitative data and qualitative information included in the Report based on the GRI Standards.

During the assurance process, we did not come across limitations to the scope of the agreed assurance engagement.

Opinion and Observations

On the basis of the assurance work undertaken, nothing has come to our attention that causes us to believe that the Report does not properly describe Commercial Bank of Ceylon PLC’s adherence to the criteria of reporting (Guiding Principles and Content Elements) related to the <IR> Framework, representation of the material topics, business model, disclosures on value creation through six(6) identified capitals, related strategies and management approach, and chosen topic specific GRI Standards related to identified material topics. Without affecting our assurance opinion, we also provide the following observations.

AA1000 Accountability Principles Standard (2018)

Inclusivity

People should have a say in the decisions that impact them.

We reviewed the application of the principle of Inclusivity i.e. the process of stakeholder identification and engagement including effectiveness of the review process in identifying, engaging and responding to key sustainability concerns of significant stakeholders such as employees, customers, investors, regulators and society. The Bank has ongoing processes for stakeholder engagement to identify critical and emerging issues based on the changes in external environment through its documented stakeholder engagement process, however the stakeholder engagement process could be further strengthened to collect inputs, ideas and suggestions through structured customer feedback mechanisms on a proactive basis.

Nothing has come to our attention to suggest that the Report does not meet the requirements related to the Principle of Inclusivity.

Materiality

Decision makers should identify and be clear about the sustainability topics that matter

The Report brings out the application of the Materiality principle of the <IR> Framework to arrive at significant material topics for the organisation considering its nature of business. As part of assurance, we reviewed the process of materiality assessment of the process of revalidation of materiality based on inputs from its key stakeholders.

Nothing has come to our attention to suggest that the Report does not meet the requirements related to the Principle of Materiality.

Responsiveness

Organisations should act transparently on material sustainability topics and their related impacts

The key stakeholder concerns and the Bank’s responses to these concerns are fairly responded to within the Report through disclosures such as Bank’s business model, policies, management systems, governance mechanisms, disclosures on management approach. However, the bank can focus more disclosing the Bank’s short, medium, and long-term goals with respect to identified material topics in future reporting periods.

Nothing has come to our attention to suggest that the Report does not meet the requirements related to the Principle of Responsiveness.

Impact

Organisations should monitor, measure, and be accountable for how their actions affect their broader ecosystems

The Report brings out the Bank’s metrics such as customer centricity, prudent growth, operational excellence, innovation etc. and management processes established for monitoring, measurement, and evaluation of key non-financial impacts on its internal and external stakeholders. The Report also describes both positive and negative impacts during the reporting period and related approaches to mitigate risks if any, to constantly create and change value for the Bank and its key stakeholders.

Nothing has come to our attention to suggest that the Report does not meet the requirements related to the Principle of Impact.

Specific Evaluation of the Information on Sustainability Performance

We consider the methodology and process for gathering information developed by Commercial Bank for its non-financial/sustainability performance reporting to be appropriate, and the qualitative and quantitative data included in the Report was found to be identifiable and traceable; the personnel responsible were able to demonstrate the origin and interpretation of the data and its reliability. We observed that the Report presents a faithful description of the reported sustainability activities and goals achieved for the reporting period.

Reliability

The accuracy and comparability of information presented in the report, as well as the quality of underlying data management systems

The Report brings out Commercial Bank’s non-financial performance for identified material matters through chosen GRI Topic Specific Standards. The robustness of the data management and aggregation systems was evaluated and verified through our remote assessments at the Head Office and were found to be fairly accurate and reliable. Some of the data inaccuracies identified during the verification process were found to be attributable to transcription, interpretation and aggregation errors and these errors have been corrected.

Nothing has come to our attention to suggest that the Report does not meet the requirements related to the Principle of Reliability.

Additional principles as per DNV VeriSustain

Completeness

How much of all the information that has been identified as material to the organisation and its stakeholders is reported

The Report has brought out the Content Elements, Guiding Principles and value creation through its six (6) identified capitals, its business model, strategies and management approach disclosures in line with the <IR> Framework and its key requirements as well as non-financial performance related to material topics through chosen GRI Standards of entities within the chosen reporting boundary considering the Bank’s sphere of control and influence.

Nothing has come to our attention to suggest that the Report does not meet the requirements related to the Principle of Completeness.

Neutrality

The extent to which a report provides a balanced account of an organisation’s performance, delivered in a neutral tone

The Report brings out the Bank’s challenges, concerns related to key stakeholders such as employees, customers, investors, regulators and society and responses to challenges during the reporting period in a neutral tone in terms of content and presentation.

Nothing has come to our attention to suggest that the Report does not meet the requirements related to the Principle of Neutrality.

Statement of Competence and Independence

DNV applies its own management standards and compliance policies for quality control, in accordance with ISO IEC 17021:2015 - Conformity Assessment Requirements for bodies providing audit and certification of management systems, and accordingly maintains a comprehensive system of quality control including documented policies and procedures regarding compliance with ethical requirements, professional standards and applicable legal and regulatory requirements.

We have complied with the DNV Code of Conduct2 during the assurance engagement and maintain independence where required by relevant ethical requirements including the AA1000AS v3 Code of Practice. This engagement work was carried out by an independent team of sustainability assurance professionals. DNV was not involved in the preparation of any statements or data included in the Report except for this Assurance Statement and Management Report. DNV maintains complete impartiality toward stakeholders interviewed during the assurance process. DNV did not provide any services to Commercial Bank and its subsidiaries in the scope of assurance during 2022-23 that could compromise the independence or impartiality of our work.

For and on behalf of DNV AS

Colombo, Sri Lanka
March 01, 2023

Tapan

Tapan Kumar Panda
Lead Verifier,
DNV Business Assurance India Private Limited, India.

Prakash Tikare
Country Manager- India & Sri Lanka
DNV Business Assurance India Private Limited, India.

Bhargav Lankalapalli
Technical Reviewer
DNV Business Assurance India Private Limited, India.

DNV Business Assurance Lanka (Private) Limited is part of DNV – Business Assurance, a global provider of certification, verification, assessment and training services, helping customers to build sustainable business performance. www.dnv.com

1 The VeriSustain protocol is available on request from www.dnv.com .The protocol is based on our professional experience, international assurance best practice including International Standard on Assurance Engagements 3000 (ISAE 3000) Revised (Assurance Engagements other than Audits or Reviews of Historical Financial Information) and the Global Reporting Initiative’s (GRI’s) Principles for Defining Report Content and Quality.

Project No.: PRJN-508793-2023-AST-LKA