It is important for all parties in an assurance engagement to have an upfront understanding of where and how the assurance reports are to be used. While historically there have been more reports produced and used privately, more and more organisations are making their assurance reports publicly available.
Publicly disclosed ESG information must be credible and well-supported. Independent assurance reporting can provide greater confidence in ESG information. Assurance on ESG related disclosures and information is not currently part of a financial statement audit.
Engagements under International Standard on Assurance Engagements (ISAE) 3000 (Revised), Assurance Engagements Other than Audits or Reviews of Historical Financial Information feature at least three separate parties: the practitioner, the responsible party and the intended users. Depending on the engagement circumstances, there may also be additional parties involved. Historically, the responsible party and intended users, have tended to be within the organisation itself, and hence reporting is private in nature. Recently, a number of organisations have made ISAE 3000 assurance reporting publicly available.
In considering whether reporting is private or public, practitioners, responsible parties, and users, should give consideration to:
- Awareness of scope and use of reporting: references to “audits”, “assured”, or “external reviews” can create confusion as to the nature and scope of work performed by the practitioner, and what it really means. Organisations should consider the level of upfront description of the nature of assurance testing performed, along with the specific scope of assurance, such that these are sufficiently clear to a potentially uninformed reader. It is important that the framework upon which the reporting has been undertaken, is clear (e.g. ISAE 3000), with particular attention to where international reporting standards are not used, eg methodologies that are “ISAE 3000 aligned”, or “like”.
- Reliance on public reporting: Most independent assurance reports that are made available in public, will include a limitation of liability in reliance upon the report, for any other purpose other than that which was intended and agreed between the Practitioner, and the responsible party in the Organisation. It is important for all parties in an assurance engagement to have an upfront understanding of where and how the assurance reports are to be used.
- The Description of Assurance testing performed: Although a consistent reporting standard may be used (e.g. IASE 3000), the comparability of reporting between firms can vary significantly, depending on the level of assurance provided (e.g. limited/reasonable), and the detail of testing undertaken by the practitioner. This is particularly relevant for limited assurance reporting under ISAE 3000. Readers of these reports should look carefully at and understand the description of testing undertaken by the practitioner, in order to get a deeper understanding of the basis upon which the practitioner has formed their opinion.
Visit our ESG assurance hub, where we walk you through everything you need to know about ESG assurance.