What questions should you ask before accepting an ESG assurance engagement?

1. Practitioner understanding

Does the practitioner understand what is to be reported by the entity in its ESG information?

When entities prepare their ESG reporting, what is measured or evaluated (i.e. the underlying subject matter) may be varied and diverse. For example, it may include:

• the entity’s Scope 1, 2 and 3 greenhouse gas emissions,
• the equality of gender pay,
• diversity of the workforce,
• health and safety performance,
• how the proceeds of a bond have been applied,
• the governance arrangements in place to monitor and manage the entity’s climate-related risks, or
• a combination of these and numerous other matters.

ESG information can be more complex than financial information, subject to greater uncertainty, difficult to measure or evaluate, and may be future-oriented, making it inherently more subject to bias or error.

Assurance practitioners will need to consider the impact for their assurance approach, including the need for an appropriate combination of assurance skills and subject matter expertise on the engagement (see also Question 4 below), the need for coordination, direction, supervision and review of the work of a multidisciplinary team, and the need for sufficient knowledge of the entity and its business to be able to exercise professional scepticism and sound professional judgement.

2. Intended users and purpose

Has the entity articulated who the report is intended for and for what purpose, and how has the entity determined whether the ESG information being reported will meet the information needs of the intended users?

Management of the entity should be able to articulate why it is preparing the ESG report and for whom the information is intended. It should also have been through a process to identify the intended users’ information needs. The practitioner will need to bear those identified users and their needs in mind when (i) planning and performing the assurance procedures, and (ii) in evaluating misstatements identified as a result of those procedures. The assurance conclusion is expressed in terms of ‘in all material respects’. Materiality (in other words, what ‘matters’) is judged from the point of view of the intended users, so it will be essential for the assurance practitioner to understand who the intended users are, and their information needs.

The assurance practitioner will also want to consider to what extent the reported ESG information is used for the entity’s own decision-making purposes, as (i) if information is important to intended users and other stakeholders, it may be expected that the entity would be using that information for its own decision-making purposes, and (ii) if the entity is using the information in its decision-making, then it may be reasonable to expect that a user may be interested in that information. If the information is not used for the entity’s own decision-making purposes, that may raise a question as to why the ESG information is being reported.

3. Frameworks and standards

What ESG reporting framework, standard or other criteria have been used to prepare the reported information?

Due to the wide range of available reporting frameworks, different criteria are used to prepare ESG information. Often entities develop their own criteria in addition to, or instead of, framework criteria. They may also select aspects of the criteria from different frameworks. As a result, there may be greater opportunity for ‘cherry-picking’ or management bias in the selection or development of criteria. Practitioners need to be able to exercise professional scepticism and professional judgement about the suitability of the criteria (i.e., whether they are relevant, complete, reliable, neutral and understandable). The practitioner will also want to discuss with the entity that it should not state or imply that it has ‘applied’ or ‘complied with’ a framework when it has elected to apply only certain aspects of that framework - to do so would be misleading.

The assurance practitioner will also want to consider the rapid change towards harmonisation of reporting standards, as it is expected that there will be greater convergence of sustainability reporting standards in the near future, together with possible regulatory requirements to apply them. However, until then, it is key that the reporting entity makes available the criteria it has used – framework criteria and its own basis of preparation – so that the intended users can understand how the ESG information has been prepared. See also Question 4 below.

Linked to the pace of change in ESG reporting are similar developments in assurance of ESG information. For example, the EC’s proposals for a Corporate Sustainability Reporting Directive initially require limited assurance, but that may progress to reasonable assurance once the Commission has published its assurance standard(s) – i.e., the level and scope of assurance may be prescribed by regulation. It is expected that other jurisdictions may follow suit. Assurance practitioners may therefore need to prepare for reasonable-level assurance in the near future and will also want to discuss with reporting entities the preparations that may be needed by those entities for mandatory reporting and assurance. Understanding what their EU counterparts are doing to plan ahead for these requirements may be helpful to both UK preparers of ESG information and UK assurance practitioners.

4. Making criteria available to users

Will those criteria be made available to the intended users so that they can understand how the ESG information has been prepared?

It is important for intended users to be able to understand how the underlying subject matter has been measured or evaluated. Without having access to those criteria, intended users will not be able to understand how the ESG information has been prepared, what the assurance engagement has been conducted against, or compare the ESG activities and performance of different entities. Even when an ESG framework is available publicly, the entity will have applied the high-level principles of the chosen framework in a particular way; that ‘particular way’ also needs to be made available to the intended users, for example in a ‘basis of preparation’ note to the ESG report. Together, the framework and basis of preparation form the criteria.

Unless the framework criteria, alone, meet the requirements for ‘suitability’ (i.e., they need no further development to meet the characteristics of suitable criteria) and are available to the intended users either publicly or in the terms of a contract to which the users are party, the entity should make the criteria available along with the ESG report so that the criteria and the ESG information ‘travel together’. If the entity does not do this, the practitioner should include the criteria in, or appended to, the assurance report.

5. Subject matter information

Does what is being reported naturally and necessarily result from applying the criteria to what is being measured or evaluated (the underlying subject matter)?

There is an important, but not always well-understood, three-way relationship between what is being measured or evaluated (the underlying subject matter, e.g., how many tonnes of GHGs the entity has emitted in a particular period), how it is measured or evaluated (i.e., the criteria or ‘rules’ that have been used to measure the GHG emissions), and the resulting subject matter information (e.g. the reported GHG emissions expressed as CO₂e). Information that does not result from the application of suitable criteria cannot be ‘subject matter information’ for assurance purposes.

Assurance practitioners will need to consider whether the ESG information they are being asked to assure results, of necessity, from the application of suitable criteria, or whether it contains subjective or aspirational statements, ‘beliefs’ or similar, that do not result from applying suitable criteria. If such statements are included, the practitioner should ask the entity to revise or remove them, so that what remains results from the proper application of the criteria. Once suitable criteria have been applied to what is being measured or evaluated, the result is the subject matter information. It would not be appropriate to then assure only a subset of that information, as that would not be ESG information ‘prepared in accordance with the criteria’. This is similar to the application of accounting standards (as criteria) to financial performance, to result in the financial statements. The auditor assures whether the financial statements, as a whole, are fairly presented. It is not permissible to scope out certain line items from the financial statements as to do so would not meet the criteria (accounting standards). See also Question 6 below.

6. Meeting users' needs

What are you being asked to assure, and will it meet the intended users’ needs?

First, the practitioner will want to determine whether there is a rational purpose to the assurance being requested (i.e. is it designed to enhance user confidence in a way that is appropriate in the engagement circumstances?) Assuring only what is easy to report and assure, or that casts the entity in a more favourable light than is warranted, is unlikely to have a rational purpose. See also Question 5 above.

Secondly, the practitioner will need to consider how the entity distinguishes, in the ESG report, between the information that is subject to assurance, and information in the same document that is not (i.e. is ‘other information’). This can be more challenging in ESG reporting than for financial statement reporting; in the latter the information is expressed primarily in quantitative terms and is contained within a standardised form of report. ESG information may be mainly qualitative, include future-looking elements, be a mix of qualitative and quantitative information, and be spread throughout a narrative report (e.g. the ‘front half of the Annual Report and Accounts), rather than being contained in a separate report. It is important that the information subject to assurance and the ‘other information’ can be distinguished, so that users can understand the practitioner’s responsibilities that attach to each, and do not place inappropriate confidence in information that has not been assured. It is important to note that, just because information is expressed in narrative or qualitative terms, it is not automatically ‘other information’. If qualitative information is part of the subject matter information for assurance, then the same rigour should be applied in obtaining evidence for it.

7. Systems, process, controls

Do the systems, processes and controls provide an adequate basis for the entity’s ESG information?

Financial reporting is well-established and usually subject to regulatory oversight. This means that the systems and processes in place to support financial reporting have had time to be developed, and are usually more mature than for ESG reporting, which is a new and evolving area of reporting. This may mean that preparer entities do not yet have a reliable or consistent basis for the ESG information they report.

Assurance practitioners will need to consider whether this presents a barrier to accepting the engagement as, if the systems, processes and controls in place are not sufficiently robust to provide the entity with a reasonable basis for what it reports, it is unlikely to be sufficient for assurance purposes. It will also be important for the practitioner to bear in mind that, if there is an still-developing basis for the entity’s reporting, such that it would not support a reasonable assurance engagement, the practitioner should not accept the engagement as a limited assurance engagement either.

8. The right mix of skills

Will you be able to bring the right mix of skills to the engagement?

The engagement partner is responsible for making sure that there is appropriate competence and capability brought to bear on the engagement. The engagement partner also needs to have competence in assurance skills and techniques, developed through extensive training and practical application, as well as sufficient subject matter competence, to accept responsibility for the assurance conclusion. The engagement partner may use the work of subject matter experts if /they  conclude that the work of that expert is adequate for the purposes of the engagement, but the engagement partner remains solely responsible for the engagement.

It can be challenging, on ESG engagements, to know what expertise might be needed or how to coordinate the work of assurance practitioners and subject matter experts, and to make sure there is appropriate direction, supervision, review, and integration of their work. Where there is greater complexity in the underlying subject matter or its measurement, or the work of the individual on the engagement team is particularly significant to the engagement as a whole, greater direction, supervision, review and integration of that work may be needed than when the subject matter is less complex or the work of the individual relates to a less significant part of the engagement. Practitioners will want to plan accordingly, and, where a multi-disciplinary engagement team is used, consider how best to establish good communication within the team, so that they are able to work together as an integrated whole.

9. Evidence availability

Will the evidence needed to support the assurance conclusion be available?

As the underlying subject matter of ESG reporting is diverse, often difficult to measure or evaluate, and may not yet be subject to the same degree of rigour or control as historical financial reporting, it can be challenging for practitioners to be able to design and perform evidence-gathering procedures, and to decide how much evidence is enough to support their assurance conclusion. ESG reporting may also include information obtained from sources external to the entity, for example from supply chain parties, from agencies such as carbon offset registries, from organisations providing information such as CO₂ conversion factors used in calculating or valuing the underlying subject matter, or industry benchmarking data. The entity may also outsource some of its activities to third parties, for example to carry out surveys on its behalf. Although not unique to ESG reporting, the entity may also use new or emerging technologies, for example, drones or satellite images to capture and record environmental information.

The practitioner will need to obtain enough of an understanding to be able to determine whether there is likely to be sufficient appropriate evidence available to support the assurance conclusion. Obtaining evidence may also require careful planning, coordination and communication with the entity’s management to arrange access to, and timing of, planned evidence-gathering activities. The practitioner will also want to consider how much evidence is needed, whether and how it will be able to be obtained from third parties, and how to determine whether evidence obtained is genuine (e.g. from satellite images or drone footage). If there is not an expectation of being able to obtain evidence, it is not permissible to accept the engagement as an assurance engagement. If it is discovered, after the engagement has been accepted, that there is insufficient evidence available, the engagement should not be changed to ‘scope out’ the information for which there is inadequate evidence; instead, the practitioner will need to consider the implications for the assurance conclusion (i.e. if material, will lead to a modified or disclaimed conclusion).

10. Level of assurance

Does the entity understand the level of assurance - limited or reasonable – and will the chosen level meet the needs of intended users?

There are important differences between limited and reasonable assurance, which are often misunderstood or not recognised. This lack of understanding has the potential to create an expectation gap between what the entity or intended users think assurance does and what it actually does, unless it is clearly explained. The assurance practitioner will therefore want to discuss with entity management who the intended users of the ESG information are, and whether a particular level of assurance is required by them (e.g. reasonable assurance may be required by regulation). The practitioner will also want to explain the limitations of limited assurance – i.e. that it is a lower level of assurance and, therefore, the confidence users can have in the ESG information is lower. 

Once the engagement has been accepted, the terms of the engagement cannot generally be changed, including a change from a reasonable assurance engagement to a limited assurance engagement, or from an assurance engagement to another form of engagement, so it is important for the entity to understand what it is they are agreeing to.

Once the engagement is accepted, the practitioner will also want to consider how to communicate in the assurance report, in a clear and understandable way, what level of assurance has been obtained, what that means in terms of work effort and to the resulting confidence users may have in the ESG information. For example, the summary of work performed in a limited assurance engagement is usually more detailed than for a reasonable assurance engagement. The greater detail in described procedures for limited assurance is intended to provide a basis for user understanding of the conclusion (i.e. that the conclusion is based on the stated procedures). However, that may seem counter-intuitive, and is often construed by users to mean that more extensive procedures have been performed than would be the case for reasonable assurance. It is therefore important that the practitioner also makes clear the limitations of the nature, timing and extent of procedures performed in a limited assurance engagement.