Part 2: Independent assurance engagements on sustainability information
The assurance provider will need to consider the scope of their assurance to be provided, whether it is a limited or reasonable scope engagement.
In accordance with ISAE 3000, the engagement should be planned to assess the scope, timing and direction of the engagement and to ensure that the procedures will enable the team to gain sufficient appropriate audit evidence. The assurance engagement team must ensure that they have adequate time and resources, including whether they may need to seek the assistance of an independent expert.
It would also be applicable to apply other auditing standards to assurance engagements of other information, such as those stated above to ensure a quality assurance engagement.
The assurance provider faces some challenges in reviewing and providing assurance on non-financial performance measures.
There may be deficiencies in the controls and internal tools used by the company to collect and measure the information, and the controls may not be as established or robust as those within the financial reporting system which is more familiar to the assurance practitioner. This means that there is a higher risk of the assurance provider not identifying control deficiencies.
This may include information from sources such as:
The reliance which can be placed upon the evidence from third party sources will need to be assessed by the assurance provider using their professional judgement. There will need to be an understanding of how the information is collected and what, if any, recognized standards it adheres to. This is an area where the use of an independent expert may be required in order to identify whether any specialist information is consistent and relevant to the industry.
ISA 500 Audit Evidence
The auditor shall design and perform audit procedures that are appropriate in the circumstances for the purpose of obtaining sufficient appropriate audit evidence (para.6). Substantive procedures are designed to detect material misstatements at the assertion level. They comprise tests of details and substantive analytical procedures.
The assurance provider will need to ensure that they obtain sufficient appropriate evidence, and as there are a wide range of KPIs which may be used by management in sustainability reports, this may be challenging. However, there may be financial evidence to support some of the information in the report, as well as discussions with management or review of the board minutes.
A manufacturer reports on the wastage and pollution in its sustainability report.
Tests which may be performed:
The audit evidence obtained, depending on the level of assurance required by the scope of the engagement (limited or reasonable), should be reviewed using the professional judgement of the assurance provider. Responses from management should be viewed with an element of professional scepticism and considered in the light of the substantive work undertaken.
Professional scepticism may need to be applied to mitigate the risk of management bias in the reported figures, especially where there are significant impacts on the business if the report is to be relied upon by third parties, such as financial institutions, government bodies or those issuing licences to trade, which is common in regulated industries like energy production and supply.
Example from the Annual Report 2021 from Kier Plc 2021:
The auditor would have to assess the contents of the sustainability report of Kier Plc to ensure that it is materially consistent with the information in the financial statements. Possible audit evidence may include:
As in all assurance engagements, issues found during the assurance engagement should be reported to Those Charged with Governance.
The content and scope of the assurance provider’s report must be considered: If the report is to be included within the financial statements, which stakeholders will be relying upon it and what level of assurance is required. There should be an explicit reference to national or international standards for quality management and any reporting requirements which have been adhered to. ISAE 3000 also requires that the practitioner should be aware of whether any errors in the final assurance report may lead to reputational damage to the assurance provider.
EER and sustainability reporting is a rapidly changing specialism, and the assurance provider will need to ensure that they have sufficient expertise and experience when accepting engagements of this type.
The AAA exam does not require knowledge of specific sustainability or climate reporting standards, however students may be asked in the exam to assess a scenario whereby the assurance provider is asked to consider the risks of a non-financial engagement. Students should apply their knowledge of auditing and assurance standards and evaluate the risks in an exam question:
It is also recommended to review an annual report from a large, listed company and review the sustainability report and the auditor’s report.
Written by a member of the AAA examining team