Mandatory Nonfinancial Reporting in the EU

Implementation of the Directive in EU Member States

The European Union, as a supranational organization, does not create new law; rather, it provides a framework for the EU member states, which must develop and impose the legal requirements for the business entities. While each country must follow the general guidelines laid out in the directive, the different member states are allowed some discretion with regard to the definition of the companies subject to the rules, the audit/attest requirements, and the related penalties.

The deadline for individual member states to codify the directive into law passed in December 2016; thus, at this point it is possible to provide an overview of the different standards across EU member states. A recently published study (Enterprise 2020 CSR Europe, GRI, and Accountancy Europe, Member State Implementation of Directive 2014/95/EU: A Comprehensive Overview of How Member States Are Implementing the EU Directive on Nonfinancial and Diversity Information, 2018, http://bit.ly/2K8muhC) summarizes the current status of implementation for all 28 member states and the two European Economic Area (EEA) countries, Iceland and Norway, as of April 2018. According to this study, the key areas that exhibit differences across the EU are as follows:

• The EU outlines that companies subject to the directive meet certain size criteria and be either banks, insurance companies, or other “public interest” entities. Approximately two-thirds of the countries keep the size definition the same as the EU, but 80% adapt the term “public interest” entity by including public utilities, pension fund managers, health insurance companies, state railways, or even municipalities.
• The EU prescribes that the topics and content of the report comprise information about policies and outcome of such policies concerning environmental and social issues, human rights, anticorruption matters, diversity on company boards. While most countries follow this outline, eight member states have adapted this rule.
• The reporting framework used to develop the national laws can be either the EU framework, the country’s own national framework, or some other international framework. Again, most countries follow the directive in this respect.
• The required nonfinancial disclosure may be presented to stakeholders either in the company’s annual report or as a separate report published alongside the annual report or within six months of the balance sheet date. This rule has been adapted by 23 countries.
• According to the directive, if a company does not pursue policies in relation to one or more of the four topics, it must provide a clear and reasoned explanation for doing so. Furthermore, the directive requires a statutory auditor or an audit firm to verify that the required nonfinancial disclosures have been published. Interestingly, the EU only asks that auditors verify the existence of the nonfinancial report; there is no assurance requirement with regard to its content.
• Twenty-seven countries include some form of penalty in the case of noncompliance; three countries (Estonia, the Netherlands, and Spain) do not mention penalties. Depending upon the individual country, these penalties might be assessed on individual responsible persons or the responsible entities. Furthermore, they could be assessed on a case-by-case basis (as specified in the United Kingdom), be relatively low (e.g., €50 to €1,500 imposed on responsible persons in Portugal), or be quite significant (up to €1 million in Latvia or “class A fine” or imprisonment in Ireland).
• Safe harbor rules exist in 25 countries; five do not include them.
• According to the EU, companies licensed to trade securities must also issue a diversity report with information about age, gender, and professional and educational background at different management levels. One-third of the countries adapt this rule.

In summary, while countries have adapted some aspects of the directive, most rules were implemented in some form.

Reports Issued in Compliance with the Directive

Because Directive 2014/95/EU is effective for years beginning on or after January 1, 2017, public interest entities meeting the size thresholds and issuing reports during 2018 for the 2017 financial year must now comply. Companies subject to the directive should include non-financial reports either within their management report or as a separate document. Exhibit 1 illustrates the nonfinancial reporting method for a sample of EU companies and provides links to the companies’ nonfinancial reports.

Currently, there are no U.S. regulatory requirements for U.S.-based companies to prepare the mandatory nonfinancial disclosures specified in the directive or to prepare any type of corporate social responsibility report (with some limited exceptions, such as required disclosures about mine safety and conflict minerals). U.S. companies that operate in EU countries and meet the reporting standards will, however, have to follow the nonfinancial reporting requirements. This may not be a major change for some of these businesses, since many of the largest U.S. companies already prepare these types of reports. Exhibit 2 lists a sample of U.S. companies with significant operations in Europe that currently (and, for some, for multiple years) prepare some type of non-financial disclosure document, with links to the various reports.

Implications for CPAs in the United States

While the directive applies to public interest entities in the EU, CPAs in the United States need to be aware of the directive and its implications for U.S. companies. For now, only the largest U.S. companies that are considered “public interest” entities, including entities operating in member states of the EU that meet the size criteria outlined above, are subject to the rules of the directive. As noted above, many of the largest U.S. companies already prepare separate reports that may meet the requirements of the directive; however, those entities (and their accountants) should be aware of the specific disclosures required by the directive and add them to their existing reports if necessary to avoid any penalties associated with noncompliance.

Depending on the country in which the U.S. business operates, different rules will apply; however, most countries require that an audit firm verify the existence of the nonfinancial report. U.S. companies may not be aware of this requirement and may not know what kind of penalties would be imposed upon them for not providing the report. Because auditors of the financial statements will likely be responsible for this, they need to make sure that their clients are in compliance.

Although currently only the existence of the report must be verified, the language in the directive leaves member states open to require auditor verification of the content of the nonfinancial reports: “Statutory auditors and audit firms should only check that the non-financial statement or the separate report has been provided. In addition, it should be possible for member states to require that the information included in the non-financial statement or in the separate report be verified by an independent assurance services provider.” U.S. auditors should be prepared for this and may want to take this opportunity to discuss with their clients how they can use their nonfinancial reports to create a competitive advantage. With more international companies now issuing nonfinancial reports, auditors can help their clients improve the credibility of their nonfinancial reports by validating the contents. Thus, companies (with help of their accountants and auditors) can differentiate themselves by not only broadcasting how they address environmental, social, human rights, anticorruption, and diversity issues, but also enhancing the credibility through the provision of external assurance. Understanding the requirements of the directive can put U.S. CPAs ahead of the game in the event the United States follows suit and begins requiring nonfinancial reports or external assurance of nonfinancial disclosures.