It is essential that roles and responsibilities are clearly defined and understood in an assurance engagement. The assurance practitioner does not give a guarantee of the information provided but independently assesses it based on the evidence.
Environmental, Social and Governance (ESG) reporting addresses matters that are becoming increasingly critical to decision-making by investors and other users. If reporting is to meet user needs, allow for informed decision-making and the proper functioning of capital markets, users need to be able to trust it. The ability for users to trust ESG information is likely to be enhanced by, among other matters:
External assurance is therefore only one factor in enhancing the quality and trust in ESG reporting; the benefit is greater when the other factors are also present. |
1. Clarity on assurance's role
Is the role of assurance clear?
There are often misconceptions about assurance being a form of ‘insurance’ or ‘guarantee’ of the information that has been assured. This is not the case.
The responsibility for the reported information rests solely with the directors of the entity procuring the assurance. Obtaining assurance does not shift that responsibility onto the assurance practitioner. In the first instance, the entity should be able to demonstrate that it can stand by the information being reported with evidence.
The assurance practitioner independently assesses the information, based on the evidence. Independence is essential to the assurance practitioner being able to give an unbiased conclusion; a close relationship between the assurance practitioner and management of the entity may create a familiarity threat, with the risk that the assurance practitioner may put the interests of management over those of intended users.
2. Rational purpose
Why does the entity want assurance?
Assurance can be valuable to any entity looking to increase the credibility of its ESG reporting. This can be in the form of assurance over one-off or specific ESG reports, recurring reporting on ESG information, or reporting on systems and controls used by the entity to prepare its ESG information.
External assurance is worth undertaking if the information itself is useful to users and their decision-making. When making decisions about whether to obtain external assurance, it is important that assurance practitioners highlight to management of entities the need to engage with the intended users of reports so as to determine their priorities and information needs.
A key consideration for any assurance engagement is to establish the reason and motivation for having certain information or activities assured i.e. whether there is a ‘rational purpose’ for the request. For example, it is unlikely that a rational purpose will exist if an entity has excluded from the scope of the proposed assurance engagement key information that is needed by the intended user. A rational purpose may also not be present when assurance is being sought on a subset of the ESG information but excludes other, more relevant, information covered in the ESG report.
3. Intended users and use
Has the entity identified the intended users of the ESG information and why it is being prepared for them?
The entity should be able to articulate why it needs the ESG assurance and for whom the information is intended.
The assurance practitioner needs to understand who the ESG information is intended for and for what purpose in order to be able to judge what is material (i.e. what ‘matters’) to the intended users.
The assurance engagement is designed to provide either limited or reasonable assurance, as appropriate, about whether the ESG information is free from material misstatement. What is material is judged from the perspective of the intended users.
4. Clarity on user needs
Are the preparers of the information clear on the users’ needs for their decision-making?
It is important that assurance practitioners have comfort that preparers of the information are clear on what information is needed by decision-makers and for what purpose. To start with, practitioners will want to consider how the intended users, key stakeholders and key governance structures involved in ESG reporting have been identified.
Practitioners should then be able to independently assess the systems, controls and processes undertaken by the entity to collect, prepare, manage and report the ESG information. The systems, processes and controls should be aligned to the entity’s internal governance and decision-making protocols.
5. Framework or reporting standard
Have the preparers selected the framework or reporting standard(s) to be applied as criteria for reporting the information subject to assurance?
Establishing whether suitable criteria exist is one of the preconditions to accepting an assurance engagement. In other words, if the criteria selected or developed by the entity do not result in information that is relevant, reliable etc. – i.e. they are inadequate to serve a set of ‘rules’ for preparing the information, and/or are open to different interpretations, they will not be suitable for the assurance practitioner to be able to assure against, and the assurance practitioner is not permitted to accept the assurance engagement.
The responsibility for selecting or developing the criteria rests with management of the entity. The assurance practitioner is not permitted to select or develop the criteria as to do so could compromise their independence.
6. High-level principles
Has the preparer specified how the ‘high-level’ principles or ESG framework(s) are developed and applied at a level of detail sufficient for the needs of the intended users?
It is the entity’s responsibility to implement the ESG principles or frameworks in accordance with which it proposes to report. The criteria applied will depend on the needs of the intended users as well as the entity’s internal governance and decision-making needs.
Assurance practitioners should be able to be confident that frameworks are developed, applied and disclosed with sufficient granularity, by the preparer, so as to be able to assess the sources of information, methods used for its measurement or evaluation, collation, processing or interpretation against the selected framework.
7. Governance, system, process, controls
Are the governance, systems, processes and controls in place to identify, record, collate and report ESG information able to be independently assessed?
Practitioners need to be able to validate the reliability, completeness and relevance of the ESG information collated by the preparers. This is to confirm that it meets the needs of the intended users.
In addition, assurance practitioners will want to satisfy themselves that the ESG information has been collated in line with good governance and regulatory expectations. To do so, they need to independently consider the robustness of the systems, processes and, where relevant, the internal controls of the entity so as to obtain the agreed level of assurance.
The entity should also have in place governance arrangements facilitating appropriate monitoring and reporting of ESG information as well as governance protocols to be followed so as to ensure effective and adequate decision-making in relation to ESG information.
Depending on the maturity of the entity’s ESG reporting arrangements, assurance practitioners may find that it is not possible to obtain the evidence to support the required level of assurance. In this instance, they may be able to support or direct the entity in obtaining external, third-party advice as to how to enhance their structures, protocols and processes before they seek limited or reasonable assurance.
It is important to note that if assurance practitioners opt to support the entity with advice on how to implement or enhance their governance structures, processes, systems or controls, they cannot later provide assurance as this breaches their independence; the so-called ‘marking their own homework’ concept is not acceptable.
8. A good draft
Has the entity prepared a good draft of the ESG report or set of information subject to assurance in time for the start of the assurance engagement?
It is the entity’s management responsibility to put together a draft ESG report or draft set of ESG information based on the selected criteria, and in line with the needs of the intended users.
It should have this ready by the start of the assurance engagement so that there is sufficient time for the assurance practitioner to plan and perform their evidence-gathering procedures.
The role of the practitioner is to independently validate the information submitted by the entity in its ESG reporting, against the evidence for that information.
Practitioners are expected to obtain evidence for the information they have been provided with in the draft ESG report or set of information to be assured, in order to be able to reach their assurance conclusion. The depth and breadth of evidence required will depend on the level of assurance to be obtained, either limited or reasonable, the quality of the evidence, and the particular circumstances of the engagement.
9. Reported ESG information
Has the reported ESG information been prepared in accordance with the selected and disclosed criteria?
As noted above, the entity needs to prepare the ESG report or set of information in line with the selected ESG framework, standard or other criteria, developed as necessary to provide a sufficiently granular set of ‘rules’ that form the basis for preparing the ESG information.
Assurance practitioners are expected to familiarise themselves with the selected criteria and assess the quality of the ESG output against them. To do so, assurance practitioners will need to perform evidence-gathering procedures to validate the final outputs.
The criteria also need to be made available to the intended users so that they can understand how the information has been prepared and assured against.
10. Evidence quality
Can the entity stand by the information presented as a neutral / factual / complete account of its material ESG activities and performance, and is there evidence to support the level of assurance agreed to?
It is the responsibility of the entity to prove that the reported information represents a complete account of its material ESG activities and performance in accordance with the selected criteria.
However, assurance practitioners need to be able to demonstrate through robust evidence-gathering procedures that they have considered the evidence - both for and against - for what has been reported.
Practitioners may find themselves in a situation where the entity’s systems and processes are not sufficient to be able to provide the preparer with a reasonable basis for the ESG information. If that is the case, and the expected evidence would not be sufficient to support a reasonable level of assurance, the practitioner should not agree to a limited assurance engagement either. The reason is that, in a limited assurance engagement, if the practitioner becomes aware of a matter that causes them to believe that the ESG information may be materially misstated, the practitioner is required to design and perform additional procedures to obtain further evidence. The difference between limited and reasonable assurance is to do with the practitioner’s work effort - and therefore with how confident the users can be in the reported information. It is not to do with whether the preparer has a ‘lesser’ or ‘greater’ basis for the reported ESG information.
More questions?
Visit our ESG assurance hub, where we walk you through everything you need to know about ESG assurance.