Independent assurance engagement
The assurance provider will need to consider the scope of their assurance to be provided, whether it is a limited or reasonable scope engagement.
In accordance with ISAE 3000, the engagement should be planned to assess the scope, timing and direction of the engagement and to ensure that the procedures will enable the team to gain sufficient appropriate audit evidence. The assurance engagement team must ensure that they have adequate time and resources, including whether they may need to seek the assistance of an independent expert.
It would also be applicable to apply other auditing standards to assurance engagements of other information, such as those stated above to ensure a quality assurance engagement.
Providing assurance on performance measures
The assurance provider faces some challenges in reviewing and providing assurance on non-financial performance measures.
Information internally generated
There may be deficiencies in the controls and internal tools used by the company to collect and measure the information, and the controls may not be as established or robust as those within the financial reporting system which is more familiar to the assurance practitioner. This means that there is a higher risk of the assurance provider not identifying control deficiencies.
Information from third party sources
This may include information from sources such as:
- entities within the supply chain (suppliers, contractors)
- external agencies e.g. carbon offset registries, industry benchmark specialists, external carbon dioxide calculation tools.
The reliance which can be placed upon the evidence from third party sources will need to be assessed by the assurance provider using their professional judgement. There will need to be an understanding of how the information is collected and what, if any, recognized standards it adheres to. This is an area where the use of an independent expert may be required in order to identify whether any specialist information is consistent and relevant to the industry.
Substantive procedures to detect potential misstatements re socio-environmental and sustainability matters
ISA 500 Audit Evidence
The auditor shall design and perform audit procedures that are appropriate in the circumstances for the purpose of obtaining sufficient appropriate audit evidence (para.6). Substantive procedures are designed to detect material misstatements at the assertion level. They comprise tests of details and substantive analytical procedures.
The assurance provider will need to ensure that they obtain sufficient appropriate evidence, and as there are a wide range of KPIs which may be used by management in sustainability reports, this may be challenging. However, there may be financial evidence to support some of the information in the report, as well as discussions with management or review of the board minutes.
Example
A manufacturer reports on the wastage and pollution in its sustainability report.
Tests which may be performed:
- Review of any fines in the financial statements to see whether the company has incurred financial penalties as a result of environmental breaches.
- Enquire and review the legal documentation, including legal expenses, to assess whether legal advice was sought in response to a breach of regulations.
- Enquire whether there are financial impacts of increased waste, such as costs of disposal, or incentives by governmental bodies to increase recycling or waste reduction. These may be reflected in the financial statements within expenses or other income.
- Significant issues may be reflected in the press or by third party ‘whistleblowers’.
- If wastage increases, there may an increase in the cost per unit, this may be assessed by a review of the cost per unit and whether more material is required to manufacture the units. Performing analytical reviews of the costs may highlight potential issues in this area.
The audit evidence obtained, depending on the level of assurance required by the scope of the engagement (limited or reasonable), should be reviewed using the professional judgement of the assurance provider. Responses from management should be viewed with an element of professional scepticism and considered in the light of the substantive work undertaken.
Professional scepticism may need to be applied to mitigate the risk of management bias in the reported figures, especially where there are significant impacts on the business if the report is to be relied upon by third parties, such as financial institutions, government bodies or those issuing licences to trade, which is common in regulated industries like energy production and supply.
Example from the Annual Report 2021 from Kier Plc 2021: