What is the scope of external assurance that companies typically request, especially given lack of a current mandate?
In the US, we typically see companies request external assurance over select metrics that they are disclosing in their sustainability or ESG reports. We also see some organizations that request external assurance on some of the metrics used to measure progress against specific sustainable goals or commitments. When possible, they’ll align those metrics with the frameworks, such as the Global Reporting Initiative (GRI) or Sustainability Accounting Standards Board (SASB). This can often be complex, and, in some cases, organizations might have to develop custom-made criteria for metrics that are specific to them.
There are a few reasons that companies request voluntary external assurance. One is industry or sector initiatives that require it or strongly recommend it. Some ESG questionnaires used by rating firms will also allocate additional points if assurance is provided. Additionally, companies that include ESG metrics in their reports may be asked by investors for external assurance like what you would see from a financial perspective. Because external assurance is still voluntary in the US, most ESG information is not filed with, or furnished to, the SEC.
Can you identify the different types of external assurance and offer some considerations as companies approach obtaining assurance?
There are two main levels of external assurance conducted in accordance with the AICPA’s “Attest Engagements” (AT-101) that organizations are receiving on their ESG-related data. One is limited assurance (also called review). The other is reasonable assurance (examination level). Most organizations are obtaining limited assurance over their ESG information.
In a review, auditors perform fewer procedures than if they were to provide a reasonable level of assurance. A limited assurance engagement mainly includes analytics and some limited substantive testing and provides negative assurance (i.e., nothing came to our attention that…), whereas ,in an examination, the auditor performs auditing procedures that may include walk-throughs, test of controls and much more extensive testing.
As companies are starting to get ready for external assurance, one consideration we discuss with our clients is setting boundaries (e.g., defining the scope and assessing what metrics should be disclosed). We also suggest taking an assessment of the documentation around the data aggregation, consolidation and reporting processes. Oftentimes, the documentation is disaggregated, and the organization might not be aware of what the full process completely looks like.
Are you seeing finance professionals become more involved in preparing for assurance of ESG information?
Finance can help document those processes, definitions, assumptions and estimations. Additionally, finance professionals can perform a second-level review of the control documentation and data. Finance teams can help the sustainability/ESG teams provide an overview of where the information will be shared, the purpose of aggregating the information and the importance of documentation. For example, obtaining greenhouse gas emissions or water or safety metrics often requires many employees across the organization to be involved in the process, and the process or data owners may not necessarily be aware of how or where the information will be used.
We see that involving the finance team, the risk team and controllers’ groups in the process of external assurance process is important since they can not only help the external audit team with getting the relevant information, but they can also be that bridge between the sustainability team and the external audit teams.