Annex 5: Independent Assurance Reports

Independent Assurance Report to the Board of Directors of Commercial Bank of Ceylon PLC in the Integrated Annual Report – 2021

Scope

We have been engaged by the management of Commercial Bank of Ceylon PLC (“the Bank”) to perform an independent assurance engagement, as defined by the Sri Lankan Standard on Assurance Engagements, on the following elements of its Integrated Annual Report for the year ended December 31, 2021 (the “Integrated Report”).

• Reasonable assurance engagement on the information on financial capital management as specified on pages 33 to 37 of the Integrated Report.
• Limited assurance engagement on other information on management of the capitals (other than financial capital), stakeholder engagement, business model, strategy, organizational overview & external environment and outlook presented in the Integrated Report.

Criteria applied by Commercial Bank of Ceylon PLC

The Integrated Report is prepared based on the Guiding Principles and Content Elements of the International Integrated Reporting Council (IIRC)’s Integrated Reporting Framework (<IR> Framework) (the “criteria”) publicly available at IIRC’s website at “www.integratedreporting.org”.

Commercial Bank of Ceylon PLC’s responsibilities

Commercial Bank of Ceylon PLC’s management is responsible for selecting the criteria, and for presenting the Integrated Report in accordance with the said criteria, in all material respects. This responsibility includes establishing and maintaining internal controls, maintaining adequate records and making estimates that are relevant to the preparation of the Integrated Report, such that it is free from material misstatement, whether due to fraud or error.

Ernst & Young’s responsibilities

Our responsibility is to express a conclusion on the presentation of the Integrated Report in accordance with the Guiding Principles and Content Elements of the International Integrated Reporting Council (IIRC)’s Integrated Reporting Framework (<IR> Framework) based on the evidence we have obtained.

We conducted our engagement in accordance with the Sri Lanka Standard on Assurance Engagements SLSAE 3000: Assurance Engagements other than Audits or Reviews of Historical Financial Information (SLSAE 3000) issued by the Institute of Chartered Accountants of Sri Lanka and the terms of reference for this engagement as agreed with Commercial Bank of Ceylon PLC in the engagement letter dated February 02, 2022.

The standards require that we plan and perform our engagement to express a conclusion on whether we are aware of any material modifications that need to be made to the Integrated Report in order for it to be in accordance with the criteria, and to issue a report. The nature, timing, and extent of the procedures selected depend on our judgment, including an assessment of the risk of material misstatement, whether due to fraud or error.

We believe that the evidence obtained is sufficient and appropriate to provide a basis for our independent assurance conclusion.

Our Independence and Quality Control

We have maintained our independence and confirm that we have met the requirements of the Code of Ethics for Professional Accountants issued by the Institute of Chartered Accountants of Sri Lanka and have the required competencies and experience to conduct this assurance engagement.

EY also applies Sri Lanka Standard on Quality Control (SLSQC 1), Quality Control for Firms that Perform Audits and Reviews of Historical Financial Information, and Other Assurance and Related Services Engagements, and accordingly maintains a comprehensive system of quality control including documented policies and procedures regarding compliance with ethical requirements, professional standards and applicable legal and regulatory requirements.

Description of procedures performed

We performed our procedures to provide reasonable and limited assurance engagement in accordance with SLSAE 3000.

Procedures performed in the reasonable assurance engagement depend on our judgement, including the assessment of the risks of material misstatement whether due to fraud or error. In making those risk assessments, we have considered internal control relevant to the preparation and presentation of the reasonable assurance indicators in order to design the assurance procedures that are appropriate in the circumstances. Our procedures also included assessing the appropriateness of the reasonable assurance indicators, the suitability of the criteria in preparing and presenting the reasonable assurance indicators within the Integrated Report and obtaining an understanding of the compilation of the financial information to the sources from which it was obtained.

Procedures performed in the limited assurance engagement consisted of making inquiries, primarily of persons responsible for preparing the Integrated Report and related information and applying analytical and other appropriate procedures. These procedures vary in nature and timing from and are less in extent than for a reasonable assurance engagement. Consequently, the level of assurance obtained in a limited assurance engagement is substantially lower than the assurance that would have been obtained had a reasonable assurance engagement been performed.

Although we considered the effectiveness of management’s internal controls when determining the nature and extent of our procedures, our assurance engagement was not designed to provide assurance on internal controls. Our procedures did not include testing controls or performing procedures relating to checking aggregation or calculation of data within IT systems.

We also performed the below procedures as we considered necessary in the circumstances:

• Perform a comparison of the content of the Integrated Annual Report against the Guiding Principles and Content Elements given in the International Integrated Reporting Council (IIRC)’s Integrated Reporting Framework (<IR> Framework).
• Perusing the Integrated Annual Report – Financial Capital element information to understand whether the information contained are properly derived from the audited financial statements.
• Interviewing the selected key management personnel and relevant staff to understand the internal controls, governance structure and reporting process relevant to the Integrated Report.
• Obtaining an understanding of the relevant internal policies and procedures developed by the Bank, including those relevant to determining what matters most to the stakeholders, how the Bank creates value, the external environment, strategy, approaches to putting members first, governance and reporting.
• Obtaining an understanding of the description of the Bank’s strategy and how the Bank creates value, what matters most to the stakeholders and enquiring the management as to whether the description in the Integrated Report accurately reflects their understanding.
• Perusing the Board of Directors meeting minutes during the financial year to ensure consistency with the content of the Integrated Report.
• Perusing the relevant supporting evidence related to qualitative & quantitative disclosures within the Integrated Report against identified material aspects.
• Perusing the Integrated Report in its entirety to ensure it is consistent with our overall knowledge obtained during the assurance engagement.

Emphasis of matter

Social, natural, and intellectual capital management data/information are subjected to inherent limitations given their nature and the methods used for determining, calculating, and estimating such data.

We also do not provide any assurance on the assumptions and achievability of prospective information presented in the Integrated Report.

Restricted use

This report is intended solely for the information and use of Commercial Bank of Ceylon PLC and is not intended to be and should not be used by anyone other than the specified party.

Conclusion

Based on our procedures and the evidence obtained, we conclude that:

• The information on financial capital management as specified in the section on Business Model  of the Integrated Report are properly derived from the audited financial statements of the Bank for the year ended December 31, 2021.
• Nothing has come to our attention that causes us to believe that other information presented in the Integrated Report are not fairly presented, in all material respects, in accordance with the Guiding Principles and Content Elements of the International Integrated Reporting Council (IIRC)’s Integrated Reporting Framework (<IR> Framework).

Chartered Accountants
February 25, 2022
Colombo

Independent Assurance Report to the Board of Directors of Commercial Bank of Ceylon PLC on the Sustainability Reporting Criteria Presented in the Integrated Annual Report - 2021

Scope

We have been engaged by the management of Commercial Bank of Ceylon PLC (“the Bank”) to perform an independent assurance engagement, as defined by the Sri Lankan Standard on Assurance Engagements, on the sustainability reporting criteria presented in the Integrated Annual Report for the year ended December 31, 2021 (the “Report”).

• Reasonable assurance on the information on financial performance as specified in the section on Annex 4  of the Report.
• Limited assurance on other information presented in the Report, prepared in accordance with the GRI Standards: Core option.

Criteria applied by Commercial Bank of Ceylon PLC

The sustainability reporting criteria presented in the Report has been prepared in accordance with The Global Reporting Initiative's (GRI) Sustainability Reporting Guidelines, publicly available at GRI’s global website "www.globalreporting.org".

This Report has been prepared in accordance with the GRI Standards: Core option (the “criteria”).

Commercial Bank of Ceylon PLC’s responsibilities

Commercial Bank of Ceylon PLC’s management is responsible for selecting the criteria, and for presenting the Report in accordance with the said criteria, in all material respects. This responsibility includes establishing and maintaining internal controls, maintaining adequate records and making estimates that are relevant to support the sustainability reporting process of the Report, such that it is free from material misstatement, whether due to fraud or error.

Ernst & Young’s responsibilities

Our responsibility is to express a conclusion on the presentation of the Report in accordance with the GRI Standards: Core option based on the evidence we have obtained.

We conducted our engagement in accordance with the Sri Lanka Standard on Assurance Engagements SLSAE 3000: Assurance Engagements other than Audits or Reviews of Historical Financial Information (SLSAE 3000) issued by the Institute of Chartered Accountants of Sri Lanka and the terms of reference for this engagement as agreed with Commercial Bank of Ceylon PLC in the engagement letter dated February 02, 2022.

The standards require that we plan and perform our engagement to express a conclusion on whether we are aware of any material modifications that need to be made to the Report in order for it to be in accordance with the criteria, and to issue a report. The nature, timing, and extent of the procedures selected depend on our judgment, including an assessment of the risk of material misstatement, whether due to fraud or error.

We believe that the evidence obtained is sufficient and appropriate to provide a basis for our independent assurance conclusion.

Our Independence and Quality Control

We have maintained our independence and confirm that we have met the requirements of the Code of Ethics for Professional Accountants issued by the Institute of Chartered Accountants of Sri Lanka and have the required competencies and experience to conduct this assurance engagement.

EY also applies Sri Lanka Standard on Quality Control (SLSQC 1), Quality Control for Firms that Perform Audits and Reviews of Historical Financial Information, and Other Assurance and Related Services Engagements, and accordingly maintains a comprehensive system of quality control including documented policies and procedures regarding compliance with ethical requirements, professional standards and applicable legal and regulatory requirements.

Description of procedures performed

We performed our procedures to provide an independent assurance engagement in accordance with SLSAE 3000.

Procedures performed in the reasonable assurance engagement depend on our judgement, including the assessment of the risks of material misstatement whether due to fraud or error. In making those risk assessments, we have considered internal control relevant to the preparation and presentation of the reasonable assurance Indicators in order to design the assurance procedures that are appropriate in the circumstances. Our procedures also included assessing the appropriateness of the reasonable assurance indicators, the suitability of the criteria in preparing and presenting the reasonable assurance indicators within the Report and obtaining an understanding of the compilation of the financial information to the sources from which it was obtained.

Procedures performed in the limited assurance engagement consisted of making inquiries, primarily of persons responsible for preparing the Report and related information and applying analytical and other appropriate procedures. These procedures vary in nature and timing from and are less in extent than for a reasonable assurance engagement. Consequently, the level of assurance obtained in a limited assurance engagement is substantially lower than the assurance that would have been obtained had a reasonable assurance engagement been performed.

Although we considered the effectiveness of management’s internal controls when determining the nature and extent of our procedures, our assurance engagement was not designed to provide assurance on internal controls. Our procedures did not include testing controls or performing procedures relating to checking aggregation or calculation of data within IT systems.

We also performed the below procedures as we considered necessary in the circumstances:

• Perform a comparison of the content of the Report against the Global Reporting Initiative (GRI) - GRI Standards guideline.
• Interviewing relevant organization’s personnel to understand the process for collection, analysis, aggregation and presentation of data.
• Review and validation of the information contained in the Report.
• Check the calculations performed by the organization on a sample basis through recalculation.
• Advice, make recommendations and suggestions on the Sustainability Reporting indicators to improve the presentation standard.
• Independently review the content of the Report and request changes if required.
• Express an independent assurance conclusion on the performance indicators presented in the Sustainability Reporting criteria.

Emphasis of matter

Social, natural, and intellectual capital management data/information are subjected to inherent limitations given their nature and the methods used for determining, calculating, and estimating such data.

We also do not provide any assurance on the assumptions and achievability of prospective information presented in the Report.

Restricted use

This report is intended solely for the information and use of Commercial Bank of Ceylon PLC and is not intended to be and should not be used by anyone other than the specified party.

Conclusion

Based on our procedures and the evidence obtained, we conclude that:

• The information on financial performance as specified in the section on Annex 4  of the Report is properly derived from the audited financial statements of the Bank for the year ended December 31, 2021.
• Nothing has come to our attention that causes us to believe that other information presented in the Report are not fairly presented, in all material respects, in accordance with the Bank’s sustainability practices and policies some of which are derived from the GRI Standards: Core option.

Chartered Accountants
February 25, 2022
Colombo

Introduction

DNV represented by DNV Business Assurance Lanka (Private) Limited (‘DNV’) has been commissioned by the management of Commercial Bank of Ceylon PLC (‘Commercial Bank’ or ‘the Bank’, Corporate Registration Number PQ 116) to carry out an independent assurance engagement of its non-financial/sustainability performance disclosed in the Bank’s Annual Report 2021 (‘the Report’) in its printed format. The non-financial performance in this Report covers the disclosures related to material matters for the reporting period January 01, 2021 – December 31, 2021.

The Report comprises sustainability disclosures which have been prepared by Commercial Bank based on the Guiding Principles and Content Elements of the International <IR> Framework (December 2013, the ‘<IR> Framework’) of the International Integrated Reporting Council (‘IIRC’) and the Global Reporting Initiative’s (GRI’s) Sustainability Reporting Standards (‘GRI Standards’) to bring out the various Content Elements of the <IR> Framework as well as performance trends related to identified material matters/topics.

The reporting topic boundaries for non-financial performance are based on the internal and external materiality assessment carried out by Commercial Bank and covers identified material topics for the Bank’s banking and associated operations as brought out in the Report in the sections ‘Introducing our 53rd Annual Report’ and ‘Material Matters’. The Report excludes performance data and information related to the activities of Commercial Bank’s seven subsidiaries – Commercial Development Co. PLC, CBC Tech Solutions Ltd., CBC Finance Ltd., Commercial Insurance Brokers (Pvt.) Ltd., Commex SriLanka S.R.L Italy, Commercial Bank of Maldives (Private) Limited, CBC Myanmar Microfinance Company Limited and the operations of its associate, Equity Investments Lanka Ltd. as the results of their operations are not significant (<1 % revenue) compared to the overall results of the Bank.

We performed our assurance (Type 2, Moderate level) activities based on AccountAbility’s AA1000 Assurance Standard v3, and DNV’s assurance methodology VeriSustainTM . In doing so, we evaluated the qualitative and quantitative disclosures presented in the Report, together with using the Guiding Principles of the <IR> Framework, together with the Bank’s procedures and protocols for how the non-financial performance was measured, recorded and reported. Our assurance engagement was planned and carried out during February 2022 – March 2022.

The intended user of this assurance statement is the Management of Commercial Bank. We disclaim any liability or responsibility to a third party for decisions, whether investment or otherwise, based on this Assurance Statement. We planned and performed our work to obtain the evidence we considered necessary to provide a basis for our assurance opinion and this process did not involve engagement with any external stakeholders.

Responsibilities of the Management of Commercial Bank and of the Assurance Provider

The Management of the Bank has the sole responsibility for the preparation of the Report as well as the processes for collecting, analysing and reporting the information presented in the Report and also responsible for ensuring the maintenance and integrity of its website and any referenced disclosures on non-financial performance and management approach. In performing this assurance work, DNV’s responsibility is to the Management of Commercial Bank; however, this statement represents our independent opinion and is intended to inform the outcome of the assurance to the stakeholders of the Bank.

DNV’s assurance engagements are based on the assumption that the data and information provided by the client to us as part of our review have been provided in good faith and free from material misstatements or errors. We were not involved in the preparation of any statements or data included in the Report except for this Assurance Statement.

We did not come across limitations to scope of the agreed assurance agreement during our assurance process. We understand that any reported data on financial performance of the Bank including its subsidiaries within the Report are based on financial disclosures and data which has been subjected to a separate independent statutory audit process and is not included in our scope
of work.

Basis of our Opinion

We planned and performed our work to obtain the evidence considered necessary to provide a basis for our assurance opinion, and as part of the assurance engagement, a multi-disciplinary team of sustainability and assurance specialists conducted remote assessments and interactions with key internal stakeholders at the Bank’s Head Office in Colombo, Sri Lanka. We adopted a risk-based approach, that is, we concentrated our remote verification efforts on the issues of high material relevance to the Bank and its key stakeholders. Due to the COVID-19 pandemic and associated travel restrictions, we carried out remote assessments as in-person discussions and onsite assessments were not feasible. We undertook the following activities:

• Reviewed Commercial Bank’s approach to addressing the Guiding Principles and Content Elements of the <IR> Framework, including stakeholder engagement and materiality determination process, as well as outcomes as brought out in the Report;
• Verified the value creation disclosures related to the capitals identified by the Bank (capitals of the <IR> Framework) as well as claims made in the Report;
• Examined and reviewed selected evidences including documents, data and other information made available by the Bank related to non-financial disclosures presented within the Report;
• Assessed the robustness of the data management system, data accuracy, information flow and controls for the reported disclosures;
• Conducted interviews with the senior management team of the Bank and other representatives, including data owners and decision-makers from various functions of the Bank to validate the non-financial disclosures and mechanisms for implementing the Bank’s sustainability related policies. We were free to choose interviewees and interviewed those with overall responsibility to deliver the Bank’s sustainability objectives;
• Performed sample-based checks of the processes for generating, gathering and managing the specified performance data and information included in the Report using selected GRI topic-specific Standards.

Opinion and Observations

On the basis of our assurance work undertaken, nothing has come to our attention to suggest that the Report does not properly describe Commercial Bank of Ceylon PLC’s adherence to the criteria of reporting (Guiding Principles and Content Elements) related to the <IR> Framework, representation of the material topics, business model, disclosures on value creation through identified capitals, related strategies and management approach and chosen topic-specific disclosures from the GRI Standards for identified material topics. Without affecting our assurance opinion, we also provide the following observations.

Principles of the AA1000 AccountAbility Principles Standard (2018)

Inclusivity

The participation of stakeholders in developing and achieving an accountable and strategic response to Sustainability.

The Report brings out the process through which the Bank has identified and prioritised its key stakeholder groups – investors, customers, employees, government institutions and regulators, business partners and the society and environment. The ongoing processes for engagement with these stakeholder groups are brought out within the Report along with descriptions of the key topics, feedback and expectations raised, as well as the Bank’s responses.

Nothing has come to our attention to suggest that the Report does not meet the requirements related to the Principle of Inclusivity.

Materiality

The process of determining the issues that are most relevant to an organization and its stakeholders.

The Report describes the process through which the Bank analysed its external environment towards identifying emerging matters and trends for its identified stakeholder groups across political, economic, social, technological and legal/regulatory dimensions. This was used to refresh the Bank’s existing process of identifying and determining its material matters based on the relevance, impact and probability of occurrence of each material matter, as well as its potential to impact the Bank’s ability towards value creation.

Nothing has come to our attention to suggest that the Report does not meet the requirements related to the Principle of Materiality.

Responsiveness

The extent to which an organization responds to stakeholder issues.

The Report brings out the Bank’s strategic planning processes, policies, management approaches, and internal control and governance mechanisms related to its identified material matters. The Report explains how its stakeholder engagement processes helped to adapt and integrate legitimate concerns and challenges as well as evolving challenges into the business model and overall strategy of the Bank towards deriving and creating value.

Nothing has come to our attention to suggest that the Report does not meet the requirements related to the Principle of Responsiveness.

Impact

The level to which an organisation monitors, measures and is accountable for how its actions affect its broader ecosystems.

The Report explains the strategic planning processes and control mechanisms in place towards monitoring, measuring and evaluating the Bank’s significant impacts connected to its identified material topics and capitals. The outputs of these processes are brought out within the Report through performance metrics and descriptions of value creation and its outcomes.

Nothing has come to our attention to suggest that the Report does not meet the requirements related to the Principle of Impact.

Specific Evaluation of the Information on Sustainability Performance

We consider the methodology and the process for gathering information developed by Commercial Bank for its sustainability performance reporting to be appropriate, and the qualitative and quantitative data included in the Report was found to be identifiable and traceable; the personnel responsible were able to demonstrate the origin and interpretation of the data and its reliability. We observed that the Report presents a faithful description of the reported sustainability activities and goals achieved for the reporting period.

Reliability

The accuracy and comparability of information presented in the report, as well as the quality of underlying data management systems

The Report brings out the Bank’s non-financial performance for its identified material matters through chosen GRI topic-specific Standards while ensuring inbuilt controls to facilitate transparency and reliability of information. The majority of the data and information verified through our remote assessments including interactions with the teams at the Head Office were found to be fairly accurate and reliable. Some of the data inaccuracies identified during the verification process were found to be attributable to transcription, interpretation and aggregation errors and these errors have been corrected.

Nothing has come to our attention to suggest that the Report does not meet the requirements related to the Principle of Reliability.

Additional Principles as per DNV VeriSustain

Completeness

How much of all the information that has been identified as material to the organisation and its stakeholders is reported.

The Report uses the Content Elements and Guiding Principles of the <IR> Framework to bring out the key strategies, business model, management approach and value creation approaches across six capitals, as well as non-financial performance related to identified material matters using chosen GRI topic-specific Standards covering the Bank’s chosen scope and boundaries of reporting across Sri Lanka and Bangladesh.

Nothing has come to our attention to suggest that the Report does not meet the requirements related to the Principle of Completeness with respect to scope, boundary and time.

Neutrality

The extent to which a report provides a balanced account of an organization’s performance, delivered in a neutral tone.

The Report brings out the Bank’s non-financial performance during the reporting period in a neutral manner in terms of presenting report content such as relevant information, key challenges and expectations, and operational context and outlook so as to not unduly influence stakeholder opinions made based on the reported data and information.

Nothing has come to our attention to suggest that the Report does not meet the requirements related to the Principle of Neutrality.

Statement of Competence and Independence

DNV applies its own management standards and compliance policies for quality control, in accordance with ISO IEC 17021:2015 - Conformity Assessment Requirements for bodies providing audit and certification of management systems, and accordingly maintains a comprehensive system of quality control including documented policies and procedures regarding compliance with ethical requirements, professional standards and applicable legal and regulatory requirements.

We have complied with the DNV Code of Conduct2 during the assurance engagement and maintain independence where required by relevant ethical requirements including the AA1000AS v3 Code of Practice. This engagement work was carried out by an independent team of sustainability assurance professionals. We were not involved in the preparation of any statements or data included in the Report except for this Assurance Statement and Management Report. DNV maintains complete impartiality toward stakeholders interviewed during the assurance process. We did not provide any services to Commercial Bank or its subsidiaries in the scope of assurance for the reporting period that could compromise the independence or impartiality of our work.

For DNV

Kiran Radhakrishnan
Lead Assessor,
DNV Business Assurance India Private Limited, India.

Rohitha Wickramasinghe
Operations Manager – Sri Lanka
DNV Business Assurance Lanka (Private) Limited

Vadakepatth Nandkumar
Assurance Reviewer,
DNV Business Assurance India Private Limited, India

March 03, 2022
Colombo,
Sri Lanka.

DNV Business Assurance Lanka (Private) Limited is part of DNV – Business Assurance, a global provider of certification, verification, assessment and training services, helping customers to build sustainable business performance. www.dnv.com 

1 The VeriSustain protocol is available on request from www.dnv.com and is based on our professional experience, international assurance best practices including the International Standard on Assurance Engagements 3000 (ISAE 3000) Revised (Assurance Engagements other than Audits or Reviews of Historical Financial Information) and GRI’s Reporting Principles. GRI’s Principles for defining Report Content and Quality.
2 The DNV Code of Conduct is available on request from www.dnv.com 
Project Number: PRJN-332915-2021-AST-LKA