According to the IAASB glossary, assurance engagements are designed to enhance the confidence of intended users of information. There are two types of assurance: limited and reasonable.

In essence, says Paul Winrow, Partner – Public Policy and Regulation at Mazars, reasonable assurance engagements require more work than limited assurance engagements because of the nature of assurance required. It will demand more work, effort and evidence, for example, different forms of testing and, typically, larger sample sizes – and which result in a positively worded opinion.

Limited assurance engagements offer a lower level of assurance, requiring a lower level of work effort and resulting in an opinion to the effect that nothing negative came to the practitioner’s attention – during the course of carrying out the limited assurance engagement – to lead them to believe that the subject matter being reported on is misleading or incorrect.

The difference between the two types of assurance engagement relates ultimately to the level of assurance the practitioner is offering. But 100% testing is never possible in either scenario and assurance is never absolute.

Why is it so useful to return to these definitions? Because, says Gill Spaul, Director, Quality Management at Crowe Global, many small or medium practitioners rarely perform non-financial reporting assurance engagements. Such engagements are usually voluntary, especially in relation to information outside of environmental, social and governance (ESG) information – but not always.

Winrow points out that one area that assurance engagements are often not voluntary is when making a claim, for example, for a grant. But such circumstances are infrequent and relate largely to interactions with public and charitable bodies.

Extensive ESG reporting is also not applicable to all companies yet, but it is the direction of travel. Putting the systems in place to produce assurable reports on ESG data is a huge challenge for which the corporate world is bracing itself.

Assurance vs audit – lost in translation

But it’s not just the difference between limited and reasonable assurance that is often poorly understood. There is often a mix up between assurance and audit.

Spaul points out that a reasonable assurance engagement is not a ‘sustainability audit’. When referring to an ‘audit’, we are talking about a financial statements audit undertaken in accordance with auditing standards. “Calling Corporate Sustainability Reporting Directive (CSRD) assurance an audit could create an expectation. Such an expectation gap may be especially important given the wider range of interested parties when it comes to sustainability engagements,” says Winrow.

He notes that an audit pertains to the financial statements, largely read by investors, banks and other creditors (but not only these audiences). However, ESG-related information, and the assurance opinion, will be of particular interest to a much wider audience. If the wrong language is used and it is not clear what information is audited and what is assured – on either a reasonable assurance or limited assurance basis – confusion is only going to mount. That confusion can easily spread beyond the intended users.

Spaul also points out that, as a result of the nature of CSRD requirements (including value chain reporting and understanding of double materiality), a large number of ESG assurance engagements will be transnational, which could magnify the issues around terminology further.

She says: “There are some risks in using these words interchangeably. The word ‘audit’ usually is taken to mean an audit of the financial statements and it includes a whole range of implications that wouldn’t arise for a sustainability reporting reasonable assurance engagement. But equally, a sustainability reporting reasonable assurance engagement will have its own characteristics that a financial statement audit doesn’t have, for example, double materiality under the CSRD.”

The thorny issue of a qualified assurance opinion

At the conclusion of an assurance engagement, the practitioner might decide a modified or qualified opinion is the right outcome. “If you’re doing a limited assurance engagement, that is limited work. But where you do find something untoward, then you would modify or qualify the opinion, in the same way you would for a reasonable assurance engagement,” says Winrow. He goes on to say that it is likely that there will be many modified or qualified assurance opinions in the early years of CSRD adoption, even under limited assurance.

And it’s possible to deliver an unqualified assurance opinion one year and a qualified opinion the next year because the companies’ systems, data and process may have evolved to meet reporting requirements, different data has been sampled that reveals different insights, or new issues have arisen that tell a different story.

The different frameworks require hundreds of different data points. Companies will have to get used to telling their ESG stories through data held in systems (hopefully set up for this purpose) for the first time, so they can report against these frameworks.

“Remember that the reasonable assurance opinion isn’t saying this company is, say, incredibly green,” says Spaul. “What the opinion is saying is that there is reasonable assurance that what has been reported has been reported appropriately.” It follows that a company might report that it is failing to collect the data required to report on its ESG credentials and that’s OK from the practitioner’s point of view.

We are moving into uncharted territory for many companies. While greenhouse gas emissions is an example of an existing reporting requirement, and there are formulae that can be used for this, this is a new dawn for many preparers.

What makes it worse is that this type of ESG data does not reside in the accounting system unlike, of course, the data for the financial statements. It is likely that ESG data will be more fragmented, residing in several different systems or even in a collection of spreadsheets.

Where this information comes from functions outside finance – for example, human resources – it may have been collected for purposes other than ESG reporting. What is more, there may be different legal frameworks around that data which will vary from country to country.

“Much of this ESG ‘data’ is actually narrative,” adds Winrow. “None of this is simple. But increasingly, practitioners will be required to assure this type of information.”

With CSRD coming into force in Europe, European companies may be caught on the hop – but, equally, some may be well prepared – and those ill-prepared companies, along with their value chain/subsidiaries in non-EU countries, might be in for a shock.

For most companies, these are very early days for reporting on ESG matters. Admitting this fact or accepting a qualified assurance opinion is probably how companies will learn. It’s going to be really challenging – for companies and practitioners alike.

But, points out Spaul, the EU legislators have clearly taken the magnitude of the ask on board by calling for limited assurance in the first instance.