top of page

Assurance for sustainability: who is it really serving?

Assurance of sustainability reports is meant to tell us that the reporting has been done properly. Shouldn’t that question be answered from the perspective of the people most affected by an organisation’s actions? Our columnist Jeremy Nicholls digs into the detail – and explains why it's worth fighting for.

First published 25 April 2023 Pioneers Post

Audit and assurance may seem boring. But getting them right is fundamental for sustainability reports, otherwise the people who experience the consequences of an organisation’s actions will never be able to hold that organisation to account. Someone, acting in their interests, has to make sure the information being reported meets the standard being used to prepare the account.

The main standard used for assuring information in corporate sustainability reports is currently ISAE 3000, which is overseen by the International Audit and Assurance Standards Board (IAASB). This generic standard is used for assurance of non-financial information, sometimes in conjunction with ISAE 3410 (greenhouse gas disclosures) or Accountability’s AA1000AS. However, because assuring sustainability reporting requires a particular focus, the IAASB is currently developing a specific standard for the assurance of these reports, the International Standard on Sustainability Assurance (ISSA) 5000.

Audit and assurance may seem boring. But getting them right is fundamental for sustainability reports

Glance through the sustainability report of a major company and you’ll find that some of the information there has been assured. Towards the end of the report, the assurance provider will include their Assurance Report with their opinion on whether the assured information meets the reporting criteria being used by the company (for example, those of the Global Reporting Initiative or the Sustainability Accounting Standards Board (SASB), or regulatory reporting requirements such as the EU’s non-financial reporting directive).

In the examples that I have seen, the assurance report starts with something like

‘XX has been commissioned to provide independent limited assurance on selected information in YY Sustainability Report 2019. Our assurance engagement was undertaken in accordance with ISAE 3000’

The opinion will be something along the following lines:

‘Based on the procedures we have performed and the evidence we have obtained, nothing has come to our attention that causes us to believe that the selected information, prepared in accordance with [the reporting criteria] for the period from January 1, 2019 to December 31, 2019, is not fairly stated, in all material respects.’

And then at the end (and in the last example I looked at, this was in smaller print) a disclaimer, such as:

‘XX assumes no responsibility and shall not be liable to any person for any loss, damage or expense caused by reliance on the information or advice in this document or howsoever provided, unless that person has signed a contract with XX for the provision of this information or advice and in that case any responsibility or liability is exclusively on the terms and conditions set out in that contract.’

or something like:

‘This report was developed in accordance with our engagement letter with YY and is subject to the terms and conditions included therein. It is solely for the use and benefit of and pursuant to a client relationship exclusively with YY. XX disclaims any responsibility to others based on its use and accordingly this information may not be relied upon by anyone other than YY.’

Assurance or consultancy?

I think there is a significant issue here and despite investigating it further, I still came to the same conclusion.

I would argue that any opinion which includes such a disclaimer fails to meet the three-party relationship requirement of an assurance engagement, as defined in assurance standards. The sustainability report is prepared by the organisation and then checked, using ISAE 3000, for the very people who prepared the report. This seems to be a consultancy engagement rather than an assurance engagement. Even the example above calls it ‘a client relationship’. And therefore it would not meet the requirements of ISAE 3000.

Para 12 of ISAE 3000 defines an assurance engagement as:

‘an engagement in which a practitioner aims to obtain sufficient appropriate evidence in order to express a conclusion designed to enhance the degree of confidence of the intended users other than the responsible party about the subject matter information (that is, the outcome of the measurement or evaluation of an underlying subject matter against criteria).’

Surely a disclaimer, such as the ones mentioned above, that seeks to limit the assurance opinion to the party responsible for producing the information means this isn’t an assurance engagement, and doesn’t meet the requirements of ISAE 3000?

In fact, para 25 states:

‘If the preconditions for an assurance engagement are not present, the practitioner shall discuss the matter with the engaging party. If changes cannot be made to meet the preconditions, the practitioner shall not accept the engagement as an assurance engagement unless required by law or regulation to do so. However, an engagement conducted under such circumstances does not comply with ISAEs. Accordingly, the practitioner shall not include any reference within the assurance report to the engagement having been conducted in accordance with this ISAE or any other ISAE(s).’

Paragraph A37 spells this out again:

‘All assurance engagements have at least three parties: the responsible party, the practitioner, and the intended users…’

And the ISAE 3000 Appendix (3) also states:

‘The responsible party can be one of the intended users, but not the only one.’

This all seems pretty fundamental. So where has this practice of adding disclaimers come from?

A defined group

I have had a few discussions about this. One explanation went along the lines that ‘the group of people experiencing sustainability impacts is not a defined group, so cannot be the third party using the report, so we have to use the directors’. If this is true, then this is also a problem for the audit of financial reports. The financial statements are prepared for current and potential users, and potential users are not a defined group. The audit report is only provided to existing investors, which means that the majority of the primary users of financial statements are not getting any assurance – unless they think they can broadly rely on the audit opinion provided to existing investors.

This is a practical issue for the FRC Group, a social enterprise in Liverpool that provides contract quality furniture to social landlords, housing associations and local authority welfare provision programmes and campaigns to end furniture poverty. The company’s directors have been asking their assurance provider to carry out the audit as if they were acting in the interests of the people experiencing the impacts of FRC’s work.

The audit report is only provided to existing investors

This situation is specifically allowed for in IAASB Guidance on Assurance of Extended External Reporting (EER).

Paragraph 145 states:

‘A distinction is made between intended users and stakeholders. A stakeholder in the entity may:

  • Have a relationship and interactions with the entity.

  • Be directly or indirectly affected by the entity’s actions.

There may be circumstances when the stakeholders and intended users are not the same. When a stakeholder is not an intended user, their interests may be taken into account by other parties who are intended users. It should not be assumed that, just because a class of stakeholders that would have a legitimate interest in the EER report is not expected to use the report, information about reporting topics that would meet their information needs would not be relevant to the other classes of intended users, when the categories of intended users are diverse.’

And, hands up, I had some involvement in the drafting of this Guidance.

We could now have a defined group.

My next point of call for checking the concern that ISAE assurance requirements were not being met was the IAASB. However, IAASB does not comment on the application of their standards and directed me to the relevant professional body, in my case, the Institute of Chartered Accountants in England and Wales (ICAEW). I had an online chat, and the discussion started by referring me to para 69b.

‘Addressee (Ref: Para. 69(b))

A162. An addressee identifies the party or parties to whom the assurance report is directed. The assurance report is ordinarily addressed to the engaging party, but in some cases there may be other intended users.’

Which would appear to permit an assurance report to be addressed to the engaging party defined as:

‘The party(ies) that engages the practitioner to perform the assurance engagement. (Ref: Para. A15)’

So the engaging party will often be the responsible party – as the organisation preparing the information usually also contracts with the assurance provider.

This is fine but doesn’t mean the opinion can only be used by the addressee. The requirement for a three-party relationship still stands, irrespective of who gets the email with the assurance report attached.

Using the word ‘addressee’ and ‘other users’ in the same sentence does seem to imply that the addressee is a user. Possibly, but only if the addressee is not the responsible party. Perhaps this was the source of the problem.

The discussion then moved on to the use of disclaimers, often referred to as Bannerman paragraphs, to reduce auditors’ liability. For example, from ICAEW at the end of Appendix 1:

‘Use of our report: This report is made solely to the company’s members, as a body, in accordance with Chapter 3 of Part 16 of the Companies Act 2006. Our audit work has been undertaken so that we might state to the company’s members those matters we are required to state to them in an auditor’s report and for no other purpose. To the fullest extent permitted by law, we do not accept or assume responsibility to anyone other than the company and the company’s members as a body, for our audit work, for this report, or for the opinions we have formed.’

Accountingweb in 2018 summarised the current situation:

‘To finally clarify the position, the ICAEW issued a revised Technical Release 01/03AAF, The audit report and auditors’ duty of care to third parties (Tech 01/03AAF), in May 2018. Their recommendation, with advice from Leading Counsel, is that auditors who wish to manage the risk of liability to third parties use a disclaimer, placed as the final section of the audit report directly before the auditor’s signature.

Note, however, that ACCA, a global body for professional accountants, doesn’t encourage the inclusion of standard disclaimer clauses in audit reports. It accepts that members may wish to make specific disclaimers of responsibility in appropriate, defined circumstances – but it doesn’t encourage their use on a regular basis.

ACCA also does not believe that, where an audit is properly carried out, such clauses are necessary to protect auditors’ interests.’

Is there any reason why this conclusion would not also apply to assurance of sustainability reports? However, even if it did, the problem is still that we don’t have an external third party.

Whose interests?

Finally I was directed to ICAEW guidance, which pointed out that you can retain a three-party relationship in an internal assurance process, as shown in the diagram below.

While it is less usual for the responsible party and users to be from the same organisation, this situation can arise. In most cases, the responsible party or users anticipate or have in mind external users who would be interested in the subject matter, subject matter information, or relevant assurance reporting, regardless of whether an assurance report they commission would be made available to them or not. For example, annual reports contain a range of detailed disclosures.

Such disclosures are intended for shareholders and the statutory audit provides a degree of assurance over them. However, due to the relative sensitivity or importance of a specific aspect of disclosures, the audit committee may decide to obtain an assurance report on that aspect.

Such an assurance report may be issued to the audit committee, however, it is clearly requested with the interests of the body of shareholders in mind and the practitioner would bear the needs of the shareholders in mind when considering matters such as the criteria and materiality. The report would usually be addressed to the company.’

Here the audit committee is acting in the interests of the external user group and the assurance provider will have to consider that interest in determining criteria and in forming an opinion. It doesn’t seem that easy to then state that that user cannot rely on the opinion.

It does, though, say ‘in most cases’. The alternative, in the other cases, would seem to mean that sustainability reports are for internal use, but that the users have chosen to make the information public.

Either way, this could meet the requirements for a three-party relationship, providing these parties are clear. Looking back at those examples it is not clear who the responsible party and users are and, if an internal user, either in whose interest they are acting or why the information was made public. Even in the examples provided at the end of ISAE 3000 it was not clear to me who were the intended users.

I am left wondering how many engagement parties are aware of all this and how many people who read sustainability reports get to the section in the Assurance Report which tells them they cannot rely on the assurance opinion when making any decisions based on the assured information.

Effective accountability depends on the detail. It will need to be fought for

This is a huge problem. If assurance of sustainability reports is going to mean anything, the opinion must be for a user other than whoever produced the information. It needs an external user.

For some sustainability reports this could be the same as the financial audit – for the members, ie, the current investors. But it really needs to be for the people who experience the impacts. This group are often not in a position to make decisions and use the information, so for assurance to be carried out in their interests, one of the users will have to act in their interest – and we are back to the discussion I previously explored on assurance. Even if the directors were to state that they were acting in the interests of those experiencing impacts, as FRC Group is trying to do, it would be difficult for those users to make a claim that their interests were not being represented. I think there would need to be a third party so that the assurance provider’s responsibility is clear and so that they can be held to account.

Assurance of sustainability reporting under either the European Commission’s Corporate Sustainability Reporting Directive or ISSB is likely to become a legal requirement and IAASB’s new standard for assurance of sustainability reports, currently being drafted, will be important. It is critical that assurance opinions based on this standard do not permit a restriction of the intended audience. They should be opinions that can be relied on by a third party, either the same users as for the financial audit or, if the scope relates to reports on the sustainability-related consequences of a business, for users representing the interests of those experiencing those consequences.

External users, responsible parties, assurance engagement – yes, it may all seem very dry. But, as is often the case, effective accountability depends on the detail. It will need to be fought for.

  • Jeremy Nicholls is the assurance framework lead for the UNDP SDG Impact Standards and an ambassador to the Capitals Coalition. He is a former director and one of the founders of Social Value International.

  • Jennifer Iansen-Rogers contributed to the ideas and arguments in this piece.


Back to the homepage
bottom of page