Assurance activities that directors require will be varied and may include:

• assurance over specific technical and scientific data points and metrics;
• assurance over specific disclosures and external commitments (in the annual report or elsewhere);
• substantive testing;
• end-to-end process and control reviews;
• continuous assurance and real-time monitoring;
• programme and transformation assurance;
• benchmarking progress and readiness;
• ad-hoc advice and real-time reviews (in project steering groups, etc); and
• formal external audit and assurance reporting, including within annual reporting structures.

In addition, any assurance needs to consider risks, disclosures, systems and processes, as well as the culture and behaviours within the organisation. A portfolio NED told us: “Considering climate [risks and opportunities] has already taught us a lot about culture and people doing the wrong thing, even when they think they are doing the right thing. We need to have a mindset of professional scepticism to apply to this issue and consider the impact of human interaction.”

It is important to articulate these expectations to enable a full discussion of how the assurance is best provided. Some elements require assurance to be embedded within the business, reporting to management, which then enables meaningful internal discussions with directors. Other aspects may require greater external expertise, be that in the provision of assurance or the scientific, technical or operational skills to form judgements.

A senior executive suggested to us that assurance likely needs to be real time and agile, perhaps closer to advisory work, and that internal functions will need to create the mechanism to deliver different forms of assurance. “I see our need as being much more like auditing a project or systems implementation where readiness is a key element,” the senior executive explained.

According to a consulting partner, they were being approached to work both on behalf of the executive and reporting to them independently. Describing their experience, the consulting partner said: “Some issues require an independent mindset and assurance aligned with auditing standards. In other areas we need to step in and be pragmatic and risk focused in looking at the rigour and reliability of underlying processes. This requires flexibility both within the companies and in our responses.”

Directors need to develop a clear plan that outlines the nature and extent of assurance activity they are going to rely on, mapped to risks, commitments and disclosures. There is a balance between the investment required in independent external or third-party assurance, compared to internal assurance performed by management or independently through the internal third line.

It will be advisable to conduct a materiality assessment when considering what form of assurance is appropriate.

The following table sets out some of the considerations for the options available and how they impact the nature and extent of assurance reliance.

Assurance option	Advantages	Disadvantages
Assurance delivered by an external audit provider	Independent from management Inherent investor credibility and trust Aligned with financial statement audit Performed in accordance with recognised assurance standards Audit firm subject to regulatory oversight	Restrictions around nature and extent of work by a company’s own external auditor Assurance standards cover limited and reasonable assurance, which limit scope and may not be understood Higher cost than internal activities
Assurance delivered by an alternative third-party assurer	Independent from management Specialist firms have deep experience in specific capabilities No external audit independence concerns, so can advise and assure	Not subject to specific assurance quality standards May not understand the broader context of audit and assurance Less well known to stakeholders Higher cost than internal activities
Internal audit	Independent from first and second-line management In-house understanding of the management structures and systems Work alongside management at all stages providing real-time advice and assurance Process and risk-based reporting with thematic findings Follow standards set by the Institute of Internal Auditors (IIA) Trusted by the audit committee chair to whom they report	Not subject to regulatory oversight in the same way as external audit providers May not have the same level of credibility with stakeholders Opinions generally not published externally Limited resource and capability pool unless working with co-source provider
Management or second-line assurance	Work within the company at all stages providing real-time advice and assurance Direct accountability for getting things right embedded within the organisation	Not operating to any specific standards and no quality oversight May not understand the broader context of audit and assurance Views and opinions will not be considered as independent or reliable by most external stakeholders

The options above should be regarded as mutually supportive. A well-articulated and defined combination is likely to be the right solution.

For internal audit, climate assurance is both a risk and an opportunity. There is a sense among some we spoke to for this research that the BEIS consultation paper created a language that points to an expectation of external audit. However, building capabilities within internal audit and highlighting their potential should enable the function to demonstrate its value. As detailed in the table above, the lines of defence play an important role in enabling directors to take decisions with confidence and fulfil their accountabilities for all aspects of their climate strategy.

According to IIA Standard 2120 – Risk Management, "the internal audit activity must evaluate the effectiveness and contribute to the improvement of risk management processes”. In addition, IIA Standard 2130 – Control states: “Internal audit activity must assist the organisation in maintaining effective controls by evaluating their effectiveness and efficiency and by promoting continuous improvement.” Standards 2120 and 2130 establish a foundation for internal audit’s role in providing assurance over the organisation’s ESG (including climate) processes, controls and reporting. 

A report by the IIA and EY, Prioritising Environmental, Social and Governance: Exploring IA’s role as a critical collaborator, indicates that most organisations have involved their internal audit functions in some way with climate initiatives, although only around 30% of internal audit functions have climate fully embedded within their plans.

In our research section covering Critical questions for directors, we note the inherent challenges for internal audit in developing the right capabilities. Added to this will be challenges in:

• explaining to directors, investors and beyond how internal audit provides value and insight when there are questions over what climate-related risks can be audited;
• adapting reporting templates to incorporate real-time or continuous audit activities, working alongside management;
• identifying the right data points aligned to the targets that management is focused on;
• obtaining documented processes and self-attestation from management in an area that is changing rapidly; and
• building new internal audit protocols amid uncertainty.

These are issues that internal auditors have experience of managing. New risks like cyber and data protection have emerged that have been addressed appropriately with assurance. Behaviours and culture are now recognised as important elements of an internal audit programme. Internal audit can work alongside management as the strategy and plans develop, preventing risks from materialising before commitments are made and calling out potential unintended consequences. The benefits of this are significant.

The head of audit and risk in a FTSE 100 retailer told us: “We are starting from a place where there is an established responsible business agenda. Internal audit has developed its plans to match this strategy. Assurance mapping is critical as we use third parties for various elements of the plan, and we need to understand the relative responsibilities.”

The Chartered Institute of Internal Auditors  (CIIA) provides detailed guidance and tools to support internal auditors on its climate pages.

Breaking down the risks associated with climate will enable experienced internal auditors to address them and provide meaningful insight. Heads of internal audit informed us that they are likely to deploy a combination of both individual audits and a thematic approach across the audit plan. Specific data, metrics and disclosures should be auditable from a process and controls perspective as independent audits. However, where the organisation is conducting cyclical or operating company audits, climate risk would be an element alongside technology and behaviours. 

The board and the audit committee should be seeking greater assurance from their internal audit functions and having regular discussions on the capabilities and data that exist. There is a need for an integrated approach across all lines of defence to approach this as an emerging risk area. Internal audit is likely to deploy an agile approach that enables the plan to evolve over time. Forms of reporting may also need to be adapted. We believe the earlier these discussions start, the better prepared directors will be.

The Buyers’ Guide to Assurance over Non-financial Information provides analysis and guidance on the options available in obtaining assurance from third parties, including external auditors. Discussions are occurring between external audit providers and their clients about how this should be applied.

Contributors to this guidance also frequently referred to the value of benchmarking that the larger audit firms are best placed to provide.

Within their existing responsibilities, external auditors are required to consider the consistency of all information contained within the annual report. There are, therefore, likely to be opportunities to extend this requirement to conduct deeper assurance over the non-financial metrics that are being disclosed. The EU recognised this in its 2021 Corporate Sustainability Reporting Directive (CSRD), which proposes starting assurance activities over specific metrics initially on a limited assurance basis.

At present, audit firms most commonly use the International Auditing and Assurance Standards Board (IAASB) standard ISAE (UK) 3000 International Standard on Assurance Engagements (Revised) to perform assurance work over non-financial information.

The IAASB has proposed an International Standard on Sustainability Assurance (ISSA 5000) as a comprehensive, standalone standard suitable for limited and reasonable sustainability assurance engagements. It will apply to sustainability information reported across any sustainability topic and prepared under multiple frameworks. The final standard is expected before the end of 2024.

ISAE (UK) 3000 provides for two forms of assurance:

• Limited assurance, where the assurance provider’s conclusion provides comfort over whether the subject is plausible against defined criteria, framed in a negative manner. For example, ‘nothing has come to our attention to indicate the management assertion is not properly prepared’.
• The higher level reasonable assurance, where the assurance provider undertakes more testing and obtains sufficient evidence to confirm whether the specific subject conforms to the defined criteria, framed in a positive manner. For example, ‘in our opinion the management assertion is properly prepared’.  

Investors and stakeholders will find these reports valuable as they are based on recognised standards and ways of working, delivering credibility to company disclosures. The CEO of one major asset management firm wrote to 1,500 companies in 30 countries saying that they expect climate reporting to be externally assured. External audit providers are working with their clients to consider where these reports are most valuable and where it is appropriate to plan to move from limited assurance to reasonable assurance over time.

Within certain jurisdictions, there is likely to be an evolving mandate for external audit or assurance by the external auditors over certain disclosures and metrics, such as non-financial information disclosed as being critical to remuneration strategies. This may become an element of the statutory audit or a separate assurance engagement.

In April 2021, the International Federation of Accountants (IFAC) and the IAASB produced guidance to support the application of ISAE (UK) 3000 in relation to sustainability. The guidance is designed to strengthen the credibility and influence of assurance engagements and underpin the quality of extended external reporting until ISSA 5000 becomes effective. The guidance includes helpful examples and covers: 

• applying appropriate competence and capabilities;
• exercising professional scepticism and judgement; 
• determining preconditions and agreeing scope;
• considering the entity’s process to identify topics;
• determining the suitability and availability of criteria;
• considering the process used to prepare subject matter information, or internal control over preparation;
• using assertions;
• obtaining evidence;
• considering materiality of misstatements;
• addressing qualitative information;
• addressing future-oriented information; and
• communicating effectively in the report. 

The Centre for Audit Quality (CAQ) in the US released a publication in March 2021 on the role of external auditors in enhancing the credibility of ESG information and provides questions for the board to consider.

Directors should be aware that such assurance reports will have tightly defined scopes of work so that an opinion can be reached.

Some we spoke to for this research were concerned that stakeholders may take false assurance from this work. Investors are informed stakeholders and may understand the limitations these assurance reports imply, but wider stakeholders are less likely to unless the disclosures are very transparent. The NED of a global utility provider suggested to us that in their situation “the assurance we were receiving over the numbers was based on a limited assurance engagement, but within the scope we were simply getting assurance that the numbers that were provided to the auditor were accurately reflected in the annual report.” 

Similarly, the CAE of a global industrial conglomerate said: “The company had set out its climate disclosures in the annual report following assurance activity by a third-party provider. At the last minute we reviewed this internally and realised that the assurance simply tied one set of numbers to another. No-one had taken this back to the source of the data. We had to rapidly revisit elements of our disclosures whilst we re-examined our processes.” 

In this context, when commissioning assurance activities, directors must be careful to define the scope and objectives of the assurance they require, mindful of the purpose that the report will be used for. It is the responsibility of the directors to ensure that the assurance meets their needs and that of the wider users of the information. Ensuring transparency in the wording of the disclosures on the assurance that has been obtained will be critical.

An external audit partner told us: “We are working with audit committees to ensure they understand the assurance we can provide within the existing framework and the quality of the work we can deliver to support the directors. Over time we look forward to the development of a specific standard that enables us to extend that assurance. We have the capabilities to deliver on this and we believe that this will be valuable to investors.”

IFAC’s 2024 State of Play report indicated that 69% of companies reviewed had obtained some level of assurance on at least some of their ESG disclosures. According to the report, 73% of those obtaining assurance did so through the same firm as their statutory auditor.

When considering third-party assurance, directors face a decision as to the nature and form of that assurance. External audit providers will provide limited or reasonable assurance in accordance with ISAE (UK) 3000. Many specialist boutiques, as well as larger consulting firms, are emerging with the ability to provide assurance, although they do not have to comply with the auditing standards and are not subject to the same level of regulation and quality oversight.

The challenge will be to identify the right combination of specialist climate-related skills, including scientific specialism where appropriate, alongside the professional assurance capabilities. 

Choosing a provider will depend on the outcomes the directors are seeking and whether they want an independent assurance opinion or specialist support for the executive or internal audit to provide the right level of assurance to the board.

• External audit firms are recognised and respected for their opinions by investors, who will know that the views expressed have been performed in accordance with recognised assurance standards. 
• It may be efficient for the external auditor to consider climate disclosures made in the front half of the annual report, alongside the assumptions and judgements that are inherent in the financial accounting. External auditors need to consider all narratives and non-financial disclosures as an element of their work. However, when operating within ISAE (UK) 3000, defined scopes of work are necessary, and it is more challenging to consider broader risks or forward-looking commitments. External audit firms also have internal audit and risk departments with capabilities to conduct assurance reviews for clients where they do not provide external audit services. 
• There are an increasing number of specialist boutiques advising on the strategic and scientific aspects of climate change and/or internal audit and assurance. These firms can provide deep expertise and will be positioned to be proportionate and pragmatic in the work they deliver. For some assurance activity there is a need for technical accuracy in response to science-based targets and these boutiques may have the skills to deliver this. However, they may lack understanding of assurance frameworks and the lines of defence within a company, so the reliance directors can place on their assurance opinion is more limited. The head of internal audit within the organisation should be able to complement these skills and/or  may be well placed to conduct specialist activities such as scenario analysis or modelling on behalf of the first or second line.
• Larger consultancy firms are developing their capabilities in both climate and assurance to be able to provide a scalable and global resource pool. These firms can be agile in their response and, like the large external audit providers and specialist internal audit firms, will have the skills to apply the IIA’s standards and framework, alongside specialist climate skills. 

We believe that directors should consider:

• whether a formal opinion is valuable from a stakeholder’s perspective to give credibility to specific metrics and disclosures;
• the nature of the assurance they are considering (as detailed above) and the risks being assured;
• any regulatory obligations requiring an independent view or opinion;
• any restrictions or independence concerns associated with working with external auditor providers;
• the strengths and capabilities that exist in the second and third line internally. This might be a good time to perform a quality assessment review over internal audit and/or wider assurance functions;
• specific requirements such as whether the requirement is for an independent assurance review, or supporting with scenario analysis or modelling to enable internal functions and management to provide their own assurance;
• the extent to which scientific or technical capabilities are required and which providers have the appropriate specialisms for the company; and
• the global reach required.

Another consideration is who is commissioning the work. If it is the audit committee, for example, it is likely to be with a view to meet investor expectations and with a potential desire to report externally on the findings. In this case, engaging an external audit firm or larger consultancy may be preferred, particularly if the report will be integrated within the annual report of a larger listed company or PIE. The Ethics and Sustainability Committee or the executive may choose an alternative provider to meet their operational and technical needs or to maintain a distinction from the activity of the external auditors.

• Clearly articulate your assurance needs, be they around risk appetite, processes, systems, reporting or disclosures, as this will underpin how it is best delivered.
• Consider carefully how quality, flexibility, credibility and the nature of assurance are balanced and define expectations.
• Take the opportunity to engage early with internal audit to reassess the range of assurance opportunities available within the organisation.
• Ensure directors understand the opportunities and credibility of limited and reasonable assurance opinions performed in accordance with relevant external assurance standards.
• Be clear on your assurance needs in all respects in shaping your decisions around third-party assurance so that the right provider can be identified.