Sustainability metrics and disclosures have attracted significant attention worldwide. However, auditing practices vary in the quantity of labor done, and investors might be lulled right into a false sense of security by the word “insurance.”
The voluntary nature of sustainability reporting has led to fragmented practices and concerns about greenwashing, resulting in recent regulatory actions akin to European Union (EU) Corporate Sustainability Reporting Directive (CSRD) and that Climate-Related Disclosure Rule for U.S. Securities and Exchange Commission Registrants..
With the increasing importance of environmental, social and governance (ESG) considerations, investors and other stakeholders are increasingly counting on sustainability information of their decision-making. This has after all led to an increased need for external auditing, even when there are not any regulatory requirements. For example the Center for Audit Quality noted that in 2021, 320 of the S&P 500 firms voluntarily purchased audit services for a few of their sustainability information.
However, these audit practices vary in the extent of assurance provided. The two common levels are “limited” and “appropriate”. So what do they cover and what sets them apart?
Auditing Sustainability Reports: What is Covered?
Sustainability reports cover a big selection of topics, from environmental impact to worker diversity to governance monitoring. They often communicate trends and necessary findings in the shape of numbers and tables.
In particular, sustainability audit engagements don’t routinely include all information disclosed in a sustainability report. To understand what’s promised in a sustainability report, you must take a look at the accompanying audit report. The audit report might be included within the sustainability report or available via linked links (e.g. on the corporate’s website).
The audit report should explicitly state what’s the subject of the audit. For example, the audit report for the Siemens Healthineers Sustainability Report 2023 explains: “We have carried out a limited security review of the information marked with the [check mark] Symbol (hereinafter the “Disclosures”) within the Sustainability Report of Siemens Healthineers AG.”
But the peace of mind statements for Coca-Cola’s 2022 Annual and Sustainability Report have Attachments List of indicators that were tested.
The audit report must also disclose the factors used to judge the sustainability information. For Siemens Healthineers, the factors are the Global Reporting Initiative standards. For Coca-Cola, the factors are also listed within the appendices and include company-specific manuals. Particularly in cases akin to the Coca-Cola example, investors are encouraged to examine the appendices to see whether the chosen criteria make sense in light of company-specific business processes.
In the absence of specific regulatory requirements, firms can go for either limited or sufficient security services. Limited assurance and reasonable assurance represent different levels of confidence within the accuracy of the data reported.
What is adequate security?
Adequate security is comparable to what most investors are acquainted with from financial audits. It offers the very best level of security. The auditor reduces the chance that the sustainability information is materially misrepresented to a predefined, acceptably low level, but never to zero.
Importantly, reasonable assurance doesn’t provide absolute assurance, even when it represents the very best type of assurance service offered. The insurance provider doesn’t guarantee that each one possible errors or indicators of fraud might be detected.
Since the audit engagement only provides “appropriate” assurance, the audit procedures are carried out on a test basis. This means the auditor takes samples and uses evaluation to discover specific transactions or estimates that require further testing.
Testing may involve tracing evidence using supporting documentation, confirming information with third parties or legal providers, consulting with specialists to confirm the appropriateness of assumptions made in estimates or calculations, and conducting on-site testing. This includes gaining a radical understanding of the processes management uses to arrange disclosures and testing the accuracy of knowledge processed by information technology systems and manual spreadsheets.
Finally, the auditor assesses whether errors or false statements were identified throughout the procedures. To determine whether management must correct these errors or misstatements before publishing the sustainability report, the auditor uses a predefined materiality threshold, which can or will not be disclosed within the audit report.
If the general impact of the identified errors or misstatements is below the predefined materiality threshold, the auditor may log off on the identified issues without additional disclosure as they’re considered less material.
The conclusion in an audit report on reasonable assurance is expressed in a positive form, as shown in the instance 2022/2023 ESG report from GUESS: “Our responsibility is to express an opinion on management’s assertion based on our audit. […] We believe that the evidence we receive is sufficient and appropriate to form a reasonable basis for our opinion. […] “In our opinion, management’s statement of key ESG metrics and disclosures for the year ended January 29, 2022 and January 28, 2023 is fairly presented in all material respects.”
Depending on the audit standard used, the audit provider will likely use the term “test” or “audit” to explain the reasonable assurance test.
What is Restricted Security?
In an audit to acquire limited assurance, the auditor continues to hunt to perform procedures that reduce the chance that the sustainability information is materially misstated. However, the accepted risk of fabric misstatement is higher in comparison with adequate testing.
The audit procedures performed are inherently limited in comparison with those in reasonable assurance audits. For example within the Coca-Cola 2022 Greenhouse Gas Emissions Security Statement, explains the auditor: “The procedures we carried out were based on our professional judgment. Our review consisted essentially of applying analytical techniques, interviewing the people responsible for the topic, and gaining an understanding of the data management systems and processes used to create, aggregate, and report the topic [i.e., selected GHG emission indicators] and carrying out such other procedures as we deemed necessary in the circumstances.”
The conclusion in a limited assurance audit report is expressed in a negative form. In the case of Coca-Cola, it states: “Our responsibility is to provide a conclusion on the issue.” [i.e., selected GHG emission indicators] based on our rating. […] We consider that the verification evidence received is sufficient and appropriate to form an affordable basis for our conclusion. […] Based on our review, we will not be aware of any material changes that might should be made to the list of chosen greenhouse gas emissions indicators for the 12 months ended December 31, 2022 to comply with the factors [i.e., Coca-Cola Company’s Carbon Accounting Manual].”
Depending on the auditing standard used, the auditor will likely use the term “audit” to explain the limited assurance audit.
Commitments to make sure sustainability: Key findings
Limited assurance audits provide a lower level of assurance because fewer audit procedures are performed and fewer evidence is obtained. Many firms select the lower security level since it is related to lower costs. Reasonable assurance testing involves more comprehensive procedures and provides the next level of assurance that potential material misstatements are identified and corrected.
An necessary finding is that a limited assurance report states that the peace of mind provider just isn’t aware of a cloth misstatement, whereas an affordable assurance report “certifies” that the data reported is substantially correct.
In order to evaluate whether and what sustainability audit obligation is provided, it is suggested that investors search and browse the audit report back to learn (1) which sustainability information is subject to audit procedures, (2) what criteria the sustainability information is assessed and (3) the measure of the required security. This will help investors gain a greater understanding of the standard of sustainability information received.
