How do you evaluate the proposed scope of an ESG assurance engagement?

1. Who decides

Who should determine the scope of the assurance engagement?

The ‘what?’

It is the company (reporting entity)’s responsibility to decide what metrics or disclosures it wants assured. They will have determined who the reported ESG information is for, and for what purpose. 

The reporting entity is also responsible for determining the criteria to be used. Suitable criteria applied to the underlying subject matter (i.e. the occurrence, condition or event that is being measured or evaluated) result in the subject matter information. Once the applicable criteria have been applied, and the resulting ESG information has been determined, it is not appropriate for the entity or practitioner, then, to select a subset of that ESG information for assurance. If a smaller subset is to be assured, then the applicable criteria and underlying subject matter also need to be a narrower subset, so that the three-way relationship between what is being measured or evaluated, the applicable criteria, and the resulting subject matter information remains intact. Refer to What questions should you ask before accepting an ESG assurance engagement? for further information.

The practitioner does not decide what is to be assured, but does need to:

• determine whether the preconditions for assurance are satisfied before agreeing to accept the assurance engagement; this includes determining whether there is a rational purpose to what has been requested for assurance (will it enhance user confidence in a way that is appropriate in the engagement circumstances?); and
• understand who the intended users are and the purpose of the ESG reporting, as the practitioner will need to bear these in mind when considering materiality for the engagement.

The ‘how much?’

The level of assurance (limited or reasonable) is a matter of agreement between the entity and the practitioner (see also ICAEW paper What types of opinions are available for ESG under ISAE 3000 (Revised)? and is driven by the needs of the intended users. Once the level of assurance has been agreed:

• The scope question on the nature, timing and extent of work (the ‘how much’) is for the practitioner to determine and is a matter of professional judgement in the engagement circumstances.
• How much is needed to support the assurance conclusion should not be determined by the entity, but by the practitioner; limitations imposed by the entity on the scope of the practitioner’s work may have implications for the acceptance or continuance decision, and for engagement risk. 

2. Assuring part of the report

The entity doesn’t want the whole report assured. Can the practitioner agree to assure only a few KPIs?

In the initial stages of an entity’s ESG reporting, or as new topics are added to its reporting, the entity may make gradual changes to its systems, processes and controls over its ESG reporting; it may, therefore, not yet be ready for assurance on all of the information included in the ESG report. Provided the preconditions for assurance are present, including that:

• there is a rational purpose to the requested assurance;
• there is a coherent relationship between the subject matter information, criteria, and underlying subject matter; and
• the other acceptance conditions are met,

it is permissible to agree to a narrower scope engagement.

However, it may be expected that, in such a case, the ‘what’ is being assured may increase in successive periods, as the entity’s systems, processes and controls extend to new or additional topics. Although there may be a rational purpose to the entity continuing to obtain assurance on only a narrow scope of its ESG reporting, if the entity:

• is falling behind its plans to progressively increase the scope of what is assured in successive assurance engagements; or
• is not meeting users’ or market expectations,

that may call into question whether the assurance engagement has a rational purpose.

3. Omitting operations

What if the entity wants to omit some of its operations from its reported ESG information?

• The practitioner will, as for any other subject matter information, want to consider what the criteria require, who the intended users are, and the purpose of the entity’s ESG reporting. For example, if the ESG framework selected as the criteria by the entity requires reporting of a matter for ‘the entity, group and supply chain’, it would generally not be appropriate to omit operations from the ESG reporting and assurance. As noted in question 1 above, once the applicable criteria are applied, and the resulting ESG information has been determined, it is not appropriate for the entity or practitioner, then, to select a subset of that ESG information for assurance.
• An entity may claim that it has omitted information on the basis that those operations are not material; however, even a small operation may have a material impact (e.g. a small fossil-fuel intensive operation may be a large contributor to the entity’s GHG emissions). Further, each small operation may not be material, alone, but, when aggregated with other operations, may be material contributors to the ESG information.
• It will be important for the practitioner to exercise professional scepticism in understanding the entity’s reasons for wanting to omit the information. For example, the practitioner will want to consider whether the entity has systems and processes in place to obtain that information, whether the information for those operations is, or could be made, available, is used by the entity in its own decision-making, is required by the criteria to be reported, and is likely to be of interest to the intended users.

4. Applying part of a framework or standard

Can the entity select certain aspects of an ESG framework or standard as its criteria, or does it need to apply the whole of an ESG framework or standard?

If the entity is reporting voluntarily, it may elect which ESG framework or standard it wants to use as criteria. It may also select certain aspects from several different frameworks, or even develop its own criteria. This means there may be greater opportunity for selective reporting or bias by the entity. It is, therefore, important for practitioners to exercise professional scepticism and professional judgement about the suitability of the criteria (i.e. whether the criteria are relevant, complete, reliable, neutral and understandable). The practitioner will also want to discuss with the entity that it should:

• not state that it has ‘applied’ or ‘complied with’ the chosen framework(s) or standard(s) when it has elected to apply only certain aspects – to do so would be misleading – but should clearly state which aspects it has chosen as criteria (and, preferably, also why it has elected to apply certain aspects only), and
• make available to the intended users the criteria it has used; Refer to question 4 in our separate What questions should you ask before accepting an ESG assurance engagement? for further information.

If the entity is subject to mandatory reporting and assurance, it is unlikely that the entity will be permitted to select only certain aspects of the framework, standard or regulation; instead it will need to apply the whole of the relevant framework to the extent it is applicable to the entity’s activities and business (and if it is not applicable, to explain why).

5. Varying the scope

Can what is in scope for assurance be varied from year to year on a rotational basis?

The entity may want to vary the scope of the assurance engagement year on year, including different aspects of the ESG information in scope over a repeating cycle (‘rolling programme’), so that different parts of the ESG information are within the scope of assurance each year, and each part may be within the scope of what is assured once every few years. If the entity proposes a rolling programme of assurance, the practitioner will need to consider the reasons for the request, and whether:

• the proposed engagement (on its own, rather than when considered ‘in the round’ over the full cycle) has a rational purpose, and will meet the needs of intended users;
• the applicable criteria are relevant and complete for each period; and
• the intended users will be able to understand that assurance is restricted to different reporting matters from year to year.

When a rolling programme results in successive assurance engagements the criteria for presentation and disclosure may be particularly important to allow the intended users to understand the approach the entity has taken, and the ESG information that has been assured.

The practitioner will also want to discuss with the entity that the rotational plan should be followed as designed, and that aspects of the ESG information should not be removed or added on an ‘ad hoc’ basis, allowing the entity to ‘cherry pick’ what to have assured in each successive period. The practitioner will also need remain alert to changed engagement circumstances that may mean continuance of the recurring ‘rolling programme’ engagement is no longer appropriate.

6. Clarifying the scope

How do we make it clear what is assured and what isn’t?

It is the entity’s responsibility to differentiate between the information that has been subject to assurance, and information that has not. When the ESG information subject to assurance is a discrete indicator or topic, it may be relatively straightforward to distinguish it from information that has not been assured.

When the ESG information is spread throughout a narrative report (e.g. the ‘front half’ of the entity’s annual report and accounts), it may be more difficult to distinguish clearly what has, and what has not, been assured. The practitioner will want to discuss with the entity ways in which it may be made clear to the intended users, so that they understand which parts of the ESG report they may have greater confidence in. Examples of how this might be done may include use of different coloured pages or highlighted paragraphs, or placement of the information subject to assurance within ‘text boxes’ on each page.

The practitioner will also need to:

• Plan to perform evidence-gathering procedures for narrative or qualitative information, as well as for quantitative information, that is within the scope of the assurance engagement; just because information is expressed in narrative terms does not mean that it is automatically ‘other information’.
• Consider whether there is information ‘linked’ from the ESG information, and whether or not that forms part of what is subject to assurance; without clear indication, users of the ESG information may assume that it has been assured, and take greater confidence in such information than is warranted.
• Consider how to reflect in the assurance report what has been assured and what constitutes ‘other information’ and how to make it clear to the intended users the responsibilities that attach to each.

7. Levels of assurance

Is it possible to obtain limited assurance over some aspects of the ESG information, and reasonable assurance over others?

In the absence of a requirement for a particular level of assurance (e.g. an ESG framework requirement), it is possible for the entity to request, and for the practitioner to agree to, different levels of assurance on different aspects of the entity’s ESG information. For example, the entity may request limited assurance on its reporting of social matters, and reasonable assurance on environmental matters, or may want limited assurance on topics that do not directly impact the financial statement numbers or disclosures, but reasonable assurance on matters that do impact the financial statements, where intended users may want greater confidence in the information being reported. (Please see ICAEW guidance on Reporting on regulatory capital: choices for assurance for similar considerations.)

The practitioner will need to consider:

• whether the proposed level of assurance is likely to meet the intended users’ decision-making needs;
• whether, given the fast-paced change in regulatory requirements for mandatory ESG reporting and assurance, the proposed level of assurance meets regulatory requirements;
• how the entity will distinguish between those aspects subject to limited assurance and those aspects of its ESG reporting subject to reasonable assurance; and
• how to make it clear in the assurance report the level of assurance that has been obtained in relation to different aspects of the ESG information.

8. Insufficient evidence

What if we can’t obtain the evidence we need for some of the ESG information within the scope for assurance?

One of the preconditions for assurance is that there is an expectation of being able to obtain evidence to support the assurance conclusion. Practitioners will therefore want to understand enough about the entity’s process for preparing the ESG information and the likely sources and availability of evidence before agreeing to accept an engagement as an assurance engagement.

Once the engagement is accepted, the scope of the assurance engagement is agreed. If, after acceptance, it is discovered that there is insufficient evidence to support the ESG information being assured, that represents a limitation on the assurance scope, which, if material, will affect the assurance conclusion. It is not permissible to subsequently ‘scope out’ aspects of the previously agreed scope of an assurance engagement when there is insufficient evidence.