Supplementary Information

Annex 5: Independent Assurance Reports

Annex 5.1: Independent Assurance Report to Commercial Bank of Ceylon PLC on the Sustainability Reporting Criteria Presented in the Integrated Annual Report- 2020

Introduction and scope of the engagement

The management of Commercial Bank of Ceylon PLC (“the Bank”) engaged us to provide an independent assurance on the following elements of the sustainability reporting criteria presented in the annual report- 2020 (“the Report”).

  • Reasonable assurance on the information on financial performance as specified on page 354 of the Report.
  • Limited assurance on other information presented in the Report, prepared in accordance with the requirements of the Global Reporting Initiative GRI Standards: ‘In accordance’ – Core guidelines.

Basis of our work and level of assurance

We performed our procedures to provide limited assurance in accordance with Sri Lanka Standard on Assurance Engagements (SLSAE 3000): ‘Assurance Engagements Other than Audits or Reviews of Historical Financial Information’, issued by the Institute of Chartered Accountants of Sri Lanka (“CASL”).

The evaluation criteria used for this limited assurance engagement are based on the Sustainability Reporting Guidelines (“GRI Guidelines”) and related information in particular, the requirements to achieve GRI Standards ‘In accordance’ - Core guideline publication, publicly available at GRI’s global website at “”.

Our engagement provides limited assurance as well as reasonable assurance. A limited assurance engagement is substantially less in scope than a reasonable assurance engagement conducted in accordance with SLSAE-3000 and consequently does not enable to obtain assurance that we would become aware of all significant matters that might be identified in a reasonable assurance engagement. Accordingly, we do not express an opinion providing reasonable assurance.

Management of the Bank’s responsibility for the Report

The management of the Bank is responsible for the preparation of the self-declaration, the information and statements contained within the Report, and for maintaining adequate records and internal controls that are designed to support the sustainability reporting process in line with the GRI Sustainability Reporting Guidelines.

Ernst & Young’s responsibility

Our responsibility is to express a conclusion as to whether we have become aware of any matter that causes us to believe that the Report is not prepared in accordance with the requirements of the Global Reporting Initiative, GRI Standards: ‘In accordance’ - Core guidelines. This report is made solely to the Bank in accordance with our engagement letter dated 08 February 2021. We disclaim any assumption of responsibility for any reliance on this report to any person other than the Bank or for any purpose other than that for which it was prepared. In conducting our engagement, we have complied with the independence requirements of the Code for Ethics for Professional Accountants issued by the CASL.

Key assurance procedures

We planned and performed our procedures to obtain the information and explanations considered necessary to provide sufficient evidence to support our limited assurance conclusions. Key assurance procedures included:

  • Interviewing relevant the Bank’s personnel to understand the process for collection, analysis, aggregation and presentation of data.
  • Reviewing and validation of the information contained in the Report.
  • Checking the calculations performed by the Bank on a sample basis through recalculation.
  • Reconciling and agreeing the data on financial performance are properly derived from the Bank’s audited financial statements for the year ended December 31, 2020.
  • Comparison of the content of the Report against the criteria for a Global Reporting Initiative, GRI Standards: ‘In accordance’ – Core guidelines.

Our procedures did not include testing electronic systems used to collect and aggregate the information.

Limitations and considerations

Environmental and social performance data are subject to inherent limitations given their nature and the methods used for determining, calculating and estimating such data.


Based on the procedures performed, as described above, we conclude that;

  • The information on financial performance as specified on page 354 of the Report are properly derived from the audited financial statements of the Bank for the year ended December 31, 2020.
  • Nothing has come to our attention that causes us to believe that other information presented in the Report are not fairly presented, in all material respects, in accordance with the Bank’s sustainability practices and policies some of which are derived from Sustainability Reporting Guideline, GRI Standards- ‘In accordance’ Core.

Ernst & Young
Chartered Accountants

February 24, 2021


ANNEX 5.2: Independent Assurance Statement on Non-Financial Reporting – DNV GL

1 The VeriSustain protocol is available on request from

* Assurance Engagements other than Audits or Reviews of Historical Financial Information.

Project No.: PRJN-224950-2021-AST-LKA

Independent Assurance Statement

Scope and Approach

DNV GL represented by DNV GL Business Assurance Lanka (Private) Limited (‘DNV GL’) was engaged by management of Commercial Bank of Ceylon PLC (‘Commercial Bank’ or ‘the Bank’, Company Registration Number PQ116) to undertake an independent assurance of the qualitative and quantitative non-financial information (sustainability performance) presented in the Bank’s Annual Report 2020 (‘the Report’) in its printed format.

This Report is prepared based on the Guiding Principles and Content Elements of the International <IR> Framework (December 2013, the ‘<IR> Framework’) of the International Integrated Reporting Council (‘IIRC’) and the Global Reporting Initiative’s (GRI’s) Sustainability Reporting Standards (‘GRI Standards’)to bring out the various Content Elements of the <IR> Framework and performance trends related to identified material topics. The intended user of this Assurance Statement is the management of the Bank.

We performed a Type 2 Moderate Level of assurance using Account Ability’s AA1000 Assurance Standard v3 (August 2020, ‘AA1000AS v3’) and DNV GL’s assurance methodology VeriSustainTM1, which is based on our professional experience, international assurance best practices including International Standard on Assurance Engagements 3000 (ISAE 3000) Revised* and the GRI’s Principles for Defining Report Content and Quality. Our assurance engagement was planned and carried out during February 2021 for the reported performance indicators during the reporting period 1st January 2020 to 31st December 2020.

We planned and performed our work to obtain the evidence we considered necessary to provide a basis for our assurance opinion, and our process did not involve engagement with external stakeholders. In doing so, we evaluated the qualitative and quantitative disclosures presented in the Report using the Guiding Principles of the <IR> Framework, together with the Bank’s procedures and protocols for how the non-financial performance was measured, recorded and reported.

The reporting topic boundary of sustainability/non-financial performance is as set out in the Report in the section ‘Basis of Preparation’ and is based on internal and external materiality assessment covering Commercial Bank’s banking and associated operations in Sri Lanka. The Report excludes performance data and information related to the activities of Commercial Bank’s seven subsidiaries – Commercial Development Co. PLC, CBC Tech Solutions Ltd., CBC Finance Ltd., Commercial Insurance Brokers (Pvt.) Ltd., Commex SriLanka S.R.L Italy, Commercial Bank of Maldives (Private) Limited, CBC Myanmar Microfinance Company Limited and the operations of its associate, Equity Investments Lanka Ltd. as the results of their operations are not significant (<1 % revenue) compared to the overall results of the Bank.

Responsibilities of the Management of Commercial Bank and of the Assurance Provider

The Management team of the Bank have the sole accountability for the preparation of the Report and are responsible for the information disclosed in the Report as well as the processes for collecting, analysing and reporting the information presented in the Report. In performing the assurance work, our responsibility is to the management of the Bank; however, this statement represents our independent opinion and is intended to inform the outcome of our assurance to the stakeholders of the Bank.

DNV GL’s assurance engagements are based on the assumption that the data and information provided by the client to us as part of our review have been provided in good faith and free from any misstatements. DNV GL expressly disclaims any liability or co-responsibility for any decision a person or an entity may make based on this Assurance Statement. Our scope of work focussed on verification of non-financial disclosures only and excluded verification of the reported data on financial performance of the Bank, as financial disclosures and data has been subject to a separate independent statutory audit process.

Basis of our Opinion

We planned and performed our work to obtain the evidence considered necessary to provide a basis for our assurance opinion as part of the assurance engagement. We adopted a risk-based approach, i.e. we concentrated our verification efforts on the issues of high material relevance to Bank and its key stakeholders., As part of the engagement, a multi-disciplinary team of sustainability and assurance specialists reviewed sustainability disclosures related to Commercial Bank’s operations. Due to the outbreak of the COVID-19 pandemic and associated travel restrictions, we carried out remote assessments as one-to-one discussions and onsite location assessments were not feasible. We undertook the following activities:

  • Review of Commercial Bank’s approach to non-financial reporting based on the <IR> Framework including stakeholder relationships and materiality determination process and its outcomes as reported in this Report. We did not have any direct engagement with external stakeholders.
  • Verified the value creation disclosures related to the six (6) capitals identified by the Bank as well as claims made in the Report.
  • Interviews with selected senior management team responsible for management of sustainability issues and review of selected evidence to support issues discussed. We were free to choose interviewees and interviewed those with overall responsibility to deliver the Company’s sustainability objectives.
  • Review of supporting evidence related to qualitative & quantitative disclosures within the Report against identified material aspect.
  • Assessed the robustness of the data management system, data accuracy, information flow and controls for the reported disclosures.
  • Review of the processes for gathering and consolidating the specified performance data and, for a sample, checking the data consolidation.

During the assurance process, we did not come across limitations to the scope of the agreed assurance engagement.

Opinion and Observations

On the basis of the assurance work undertaken, nothing has come to our attention that causes us to believe that the Report does not properly describe Commercial Bank’s adherence to the criteria of reporting (Guiding Principles and Content Elements) related to the <IR> Framework, representation of the material topics, business model, disclosures on value creation through six(6) identified capitals, related strategies and management approach, and chosen topic specific GRI Standards related to identified material topics. Without affecting our assurance opinion, we also provide the following observations.

AA1000 AccountAbility Principles Standard (2018)


People should have a say in the decisions that impact them.

We reviewed the application of the principle of Inclusivity i.e. the process of stakeholder identification and engagement including effectiveness of the review process in identifying, engaging and responding to key sustainability concerns of significant stakeholders such as employees, customers, investors, regulators and society. The Bank has ongoing processes for stakeholder engagement to identify critical and emerging issues based on the changes in external environment through its documented stakeholder engagement process, however the stakeholder engagement process could be further strengthened to collect inputs, ideas and suggestions through structured customer feedback mechanisms on a proactive basis.

Nothing has come to our attention to suggest that the Report does not meet the requirements related to the Principle of Inclusivity.


Decision makers should identify and be clear about the sustainability topics that matter

The Report brings out the application of the Materiality principle of the <IR> Framework to arrive at material topics for the organization considering its nature of business, stakeholder concerns, frameworks and charters to which bank subscribes. Further, Bank has reviewed the process of materiality assessment and revalidation of materiality based on the external environment and key stakeholders expectations.

Nothing has come to our attention to suggest that the Report does not meet the requirements related to the Principle of Materiality.


Organisations should act transparently on material sustainability topics and their related impacts

The key stakeholder concerns and the Bank’s responses to these concerns are fairly responded to within the Report through disclosures such as Bank’s business model, policies, management systems, governance mechanisms, disclosures on management approach. However, the bank can focus more disclosing the Bank’s short, medium, and long-term goals with respect to identified material topics in future reporting periods.

Nothing has come to our attention to suggest that the Report does not meet the requirements related to the Principle of Responsiveness.


Organisations should monitor, measure, and be accountable for how their actions affect their broader ecosystems

The Report brings out the Bank’s metrics such as customer centricity, prudent growth, operational excellence, innovation etc. and management processes established for monitoring, measurement, and evaluation of key non-financial impacts on its internal and external stakeholders. The Report also describes both positive and negative impacts during the reporting period and related approaches to mitigate risks if any, to constantly create and change value for the Bank and its key stakeholders.

Nothing has come to our attention to suggest that the Report does not meet the requirements related to the Principle of Impact.

Specific Evaluation of the Information on Sustainability Performance

We consider the methodology and process for gathering information developed by Commercial Bank for its non-financial/sustainability performance reporting to be appropriate, and the qualitative and quantitative data included in the Report was found to be identifiable and traceable; the personnel responsible were able to demonstrate the origin and interpretation of the data and its reliability. We observed that the Report presents a faithful description of the reported sustainability activities and goals achieved for the reporting period.


The accuracy and comparability of information presented in the report, as well as the quality of underlying data management systems

The Report brings out Commercial Bank’s non-financial performance for identified material matters through chosen GRI Topic Specific Standards based on the protocols established from reliability and accuracy perspective. The robustness of the data management and aggregation systems was evaluated and verified through our remote assessments and were found to be fairly accurate and reliable. Some of the data inaccuracies identified during the verification process were found to be attributable to transcription, interpretation and aggregation errors and these errors have been corrected.

Nothing has come to our attention to suggest that the Report does not meet the requirements related to the Principle of Reliability.

Additional Principles as per DNV GL VeriSustain


How much of all the information that has been identified as material to the organisation and its stakeholders is reported

The Report has brought out the Content Elements, Guiding Principles and value creation through its six(6) identified capitals, its business model, strategies and management approach disclosures in line with the <IR> Framework and its key requirements as well as non-financial performance related to material topics through chosen GRI Standards of entities within the chosen reporting boundary considering the Bank’s sphere of control and influence.

Nothing has come to our attention to suggest that the Report does not meet the requirements related to the Principle of Completeness.


The extent to which a report provides a balanced account of an organization’s performance, delivered in a neutral tone

The Report brings out the Bank’s challenges, concerns related to key stakeholders such as employees, customers, investors, regulators and society and responses to challenges during the reporting period in a neutral tone in terms of content and presentation.

Nothing has come to our attention to suggest that the Report does not meet the requirements related to the Principle of Neutrality.

Statement of Competence and Independence

DNV GL applies its own management standards and compliance policies for quality control, in accordance with ISO IEC 17021:2015 - Conformity Assessment Requirements for bodies providing audit and certification of management systems, and accordingly maintains a comprehensive system of quality control including documented policies and procedures regarding compliance with ethical requirements, professional standards and applicable legal and regulatory requirements.

We have complied with the DNV GL Code of Conduct2 during the assurance engagement and maintain independence where required by relevant ethical requirements including the AA1000AS v3 Code of Practice. This engagement work was carried out by an independent team of sustainability assurance professionals. DNV GL was not involved in the preparation of any statements or data included in the Report except for this Assurance Statement and Management Report. DNV GL maintains complete impartiality toward stakeholders interviewed during the assurance process. DNV GL did not provide any services to Commercial Bank and its subsidiaries in the scope of assurance during 2020-21 that could compromise the independence or impartiality of our work.

For and on behalf of DNV GL AS

Bhargav Lankalapalli
Lead Verifier

DNV GL Business Assurance India Private Limited, India

Rohita Wickramasinghe
Operations Manager – Sri Lanka

DNV GL Business Assurance Lanka (Private) Limited, Sri Lanka

Nandkumar Vadakepatth
Assurance Reviewer

DNV GL Business Assurance India Private Limited, India

March 1, 2021
Sri Lanka.

DNV GL Business Assurance Lanka (Private) Limited is part of DNV GL – Business Assurance, a global provider of certification, verification, assessment and training services, helping customers to build sustainable business performance.

Project No.: PRJN-224950-2021-AST-LKA

2 The DNV GL Code of Conduct is available on request from

Project No.: PRJN-224950-2021-AST-LKA