Increasingly shareholders, especially institutional investors, are demanding more information so they can evaluate the impact of an organisation’s activities on the environment and society. In addition, organisations may see a competitive advantage in publishing their ‘green credentials’ as key performance indicators, driving a wider range of sustainability disclosures in published corporate information.
For the profession, there is an increased demand for independent assurance to be provided on this information. For example, in the European Union, the Corporate Sustainability Reporting Directive requires organisations that fall within its scope to report sustainability information and over the next few years they will also be required to obtain assurance on their reported sustainability information.
For assurance providers, increased demand for assurance provides a commercial opportunity. There are challenges in undertaking such engagements, but there are there are steps that the assurance provider can take to mitigate these. One specific area of potential difficulty relates to ethics, and this article will also consider how assurance providers should identify and respond to ethical threats.
The proposed standard – key principles
Proposed ISSA 5000 (ED) General Requirements for Sustainability Assurance Engagements was issued by the International Auditing and Assurance Standards Board (IAASB) in August 2023. On issuing the Exposure Draft, the IAASB commented that ‘this proposed standard will serve as a comprehensive, stand-alone standard suitable for any sustainability assurance engagements. It will apply to sustainability information reported across any sustainability topic and prepared under multiple frameworks. The proposed standard is also profession agnostic, supporting its use by both professional accountant and non-accountant assurance practitioners’.
There are two key principles to highlight:
Multiple frameworks
- ISSA 5000 (ED) is intended to apply under ‘multiple frameworks’. There are many different reporting frameworks which organisations may be required, or choose to, comply with. Reporting frameworks such as the Global Reporting Initiative, Integrated Reporting, and the Task Force on Climate-Related Financial Disclosures (TCFD) have developed over time. The International Sustainability Standards Board (ISSB) has issued two Sustainability Reporting Standards – IFRS S1 and IFRS S2. There are local regulations too, for example the EU has endorsed European Sustainability Reporting Standards (ESRS). Many organisations report under the scope of several frameworks, which is why it is important that ISSA 5000 (ED) can be applied whichever framework(s) are being applied.
Use by non-accountancy professionals
The second point to note is that ISSA 5000 (ED) is ‘profession agnostic’. This means that it can be used by any assurance practitioner as long as:
- They adhere to relevant ethical requirements, and
- Apply a system of quality management system which is at least as rigorous as those used by accounting practitioners.
This means that non-accountancy professionals can use ISSA 5000, for example, experts in environmental matters or scientists.
What is ‘sustainability’ in the context of sustainability reporting?
ISSA 5000 (ED) defines ‘sustainability matters’ as ‘environmental, social, economic and cultural matters, including the impacts of an entity’s activities, products and services on the environment, society, economy or culture, or the impacts on the entity; and the entity’s policies, performance, plans, goals and governance relating to such matters’.
ISSA 5000 (ED) goes further and provides examples of topics which may be included in sustainability information:
- Climate, including emissions.
- Energy, such as type of energy and consumption.
- Water and effluents, such as water consumption and water discharge
- Biodiversity, such as impacts on biodiversity or habitats protected and restored.
- Labour practices, such as diversity and equal opportunity, training and education, and occupational health and safety.
- Human rights and community relations, such as local community engagement, impact assessments and development programs.
- Customer health and safety.
- Economic impacts, such as government assistance, tax strategy, anti-competitive behaviour, anti-corruption and market presence.
There is a wide range of information that may be provided, and it could be provided in various ways, for example, in narrative disclosures, in tables of figures including performance indicators, in diagrams or graphics.
Applying ISSA 5000 (ED)
ISSA 5000 (ED) can be applied whether the engagement is designed to provide limited or reasonable assurance and it can be applied to all of an organisation’s sustainability disclosures, or just to part of them. The proposed standard is long, and complicated in parts, and this section of the article aims to provide an overview of the key requirements and concepts.
Objectives
The objectives of ISSA 5000 (ED) are:
‘(a) To obtain reasonable assurance or limited assurance, as applicable, about whether the sustainability information is free from material misstatement;
(b) To express a conclusion on the sustainability information through a written report that conveys a reasonable assurance or a limited assurance conclusion, as applicable, and describes the basis for the conclusion; and
(c) To communicate further as required by this ISSA and any other relevant ISSA’.
ISSA 5000 (ED) contains an appendix which illustrates different forms of assurance reports which can be provided, distinguishing between those reports which include limited and reasonable assurance conclusions. In line with other types of assurance engagement, the higher the level of assurance that is to be provided, more robust evidence is required to support the conclusion given by the assurance practitioner.
Acceptance of the engagement
Acceptance of a sustainability assurance engagement adopts principles consistent with those in ISQM 1 Quality Management for Firms that Perform Audits or Reviews of Financial Statements, or other Assurance or Related Services Engagements. Therefore, ISSA 5000 (ED) requires assurance practitioners to evaluate whether pre-conditions are present as part of their engagement acceptance procedures. These preconditions include:
- Understanding the scope of the work
- The sustainability information to be reported
- The reporting boundary (information, including activities and resources, to be included in the entity’s sustainability information)
- The existence of suitable criteria, and
- Determining the level of assurance to be provided.
ISSA 5000 (ED) highlights the importance of both firm-level and engagement-level quality management, stating that the engagement leader shall take overall responsibility for managing and achieving quality on the engagement and also requiring that the engagement leader must have competence and capabilities in assurance skills and techniques developed through extensive training and practical application. The engagement leader is also responsible for ethical considerations and ensuring that sufficient and appropriate resources are allocated to the engagement.
There is detailed guidance relating to the assurance team, with particularly emphasis on the relationship between the engagement team and ‘other practitioners’ and whether it is appropriate to use the work of others. There is also recognition that information on which assurance is provided is often derived from sources up and down the value chain of the reporting entity, so careful planning is required to ensure that the assurance team can obtain sufficient appropriate evidence in a timely manner.
Planning the engagement
It is crucial to obtain understanding over the organisation’s processes to identify the sustainability information to be reported. The assurance practitioner will need to spend time at the start of the engagement to ensure they have a good level of understanding of what is being reported, how it is being reported, and this includes understanding relevant internal controls.
The assurance practitioner must use risk assessment procedures, including procedures relating to fraud. The requirements vary depending on whether the engagement is to provide limited or reasonable assurance. For example, in reasonable assurance engagements, more work is needed on understanding the system of internal control.
Materiality
Materiality is a significant issue, and it needs to be applied using a ‘bifurcated’ approach. This means considering materiality for qualitative disclosures and determining materiality for quantitative disclosures. Materiality for a reasonable assurance engagement is the same as for a limited assurance engagement because materiality is based on the information needs of intended users.
However, it is important to understand that the organisation will have its own materiality process, including ‘double materiality’. This means consideration of the significance of the impact of a sustainability matter on the organisation, as well as the significance of the impacts of the business activity on the outside world (‘impact materiality’) . The assurance provider needs to understand the organisation’s materiality process, but this is separate from their own materiality considerations.
Where the concept of double materiality is relevant, the assurance practitioner should consider both financial and impact materiality when determining their materiality level for the purposes of planning and performing the engagement. It should be noted that the IAASB’s view is that it will not be relevant to every engagement.
It is important to note that when considering the materiality of potential misstatements, as with performance materiality, these may be both quantitative and qualitative in nature.
Obtaining evidence
When responding to risks of material misstatement, in designing and performing further audit procedures, the requirements vary depending on whether it is a limited assurance or a reasonable assurance engagement. For a reasonable assurance engagement:
ISA 5000 (ED) acknowledges that qualitative sustainability information and estimates or forward-looking information are both potentially difficult areas over which to obtain evidence. Therefore, the assurance practitioner must exercise significant professional judgement in evaluating what constitutes sufficient appropriate evidence in these circumstances.
Often, sustainability information is forward-looking and based on estimates and future plans. Organisations produce scenarios based on best-estimate or hypothetical assumptions which might be subject to management bias or great uncertainty. Evidence can therefore be difficult to obtain, and the assurance practitioner may need to exercise a significant level of judgement in determining whether they have obtained sufficient and appropriate evidence.
Also, as already stated, this is in addition to the evidence which may be required from external experts and parties within the entity’s value chain. It is essential that sufficient time and resources are assigned to the engagement.
Reporting
It is important that users of assurance reports understand the level of assurance being provided. The report must state that ‘the procedures in a limited assurance engagement vary in nature and timing from, and are less in extent than for, a reasonable assurance engagement and, consequently, the level of assurance obtained in a limited assurance engagement is substantially lower than the assurance that would have been obtained had a reasonable assurance engagement been performed’.
Greenwashing and other risks in sustainability reporting
Greenwashing is a significant potential problem, this being when an organisation makes false or misleading statements about sustainability information. This concept is very similar to that of ‘creative accounting’ – where financial information is manipulated to serve the needs of the preparer of the information, rather than for the needs of the users of that information. Greenwashing can be considered to be fraudulent reporting. Added to this, the systems and processes that are generating sustainability information are often subject to change as the sustainability reporting requirements develop. Therefore, there is a higher risk of error, as well as deliberate misstatement, in the sustainability information that is published.
These risks, when coupled with the potential difficulties of obtaining evidence over qualitative disclosures and future-oriented information means that there can be danger of issuing an inappropriate assurance opinion. There is a reputation risk for the assurance provider if they report positively on sustainability information which turns out to the incorrect, inaccurate or exaggerated.
Given the risks of greenwashing mentioned previously, there is a need to apply professional scepticism and to document how this has been applied as part of obtaining the evidence which backs up the assurance conclusion.
The ethical angle for assurance providers
Assurance providers need to adhere to relevant ethical codes of practice, just as when they are performing other professional engagements. The IESBA Code of Ethics includes the principles of integrity, objectivity, professional competence and due care, confidentiality and professional behaviour.
Perhaps the most obvious threat to ethics relates to the assurance provider’s professional competence. While many organisations have been reporting on sustainability matters for years, for assurance providers the new reporting standards are largely unfamiliar territory, so there is a real issue that professional accountants lack the necessary knowledge to provide assurance on sustainability information. Knowledge can be developed but a deeper level of understanding cannot be developed overnight. An assurance provider could have a self-interest threat in securing an engagement to report on sustainability information, giving the firm a foothold in a potentially lucrative new line of work. So, for purely commercial reasons, the audit firm might take on the job even if they are not competent to do it.
There could also be a self-review threat if an assurance provider is performing the external audit of financial statements as well as working on the sustainability information of the organisation. In this case, the assurance provider should make sure that separate teams are used for the different aspects of work.
Ultimately the audit firm would need to apply appropriate professional behaviour, ensuring that commercial objectives are not prioritised over principles of integrity.