Main purpose: Comprehend the role of assurances in sustainability performance and the reporting of sustainability performance.
Objectives: After reading this chapter, you should be able to do the following:
There can be no great courage where there is no confidence or assurance, and half the battle is in the conviction that we can do what we undertake.
—Orison Swett Marden
Thus far, we have reviewed all the major dimensions of the sustainability model for organizations. We started with the stakeholders and their input into the policy of an organization. Organizations also participate in multi-stakeholder groups to develop a tight link between stakeholders’ needs and desires and their policy. Then, we moved to the management systems, which develop a tight link between the organization’s policy and its performance. The next dimension we studied was performance in which we learned approaches to ensure credibility in the eyes of both internal and external stakeholders through selection of appropriate indicators. To develop a tight link between the organization’s performance and stakeholders’ needs and desires, organizations provide many forms of sustainability reporting. Our final topic is assurance, which often pertains to the accuracy of the performance metrics used for sustainability reporting. However, management might decide to provide more certainty to other aspects of the dimensions in the model for sustainability. Assurances help to give confidence that the linkages illustrated in the model for organizational sustainability are strong and working properly. (See Figure 7.1.)
Figure 7.1 Assurances for sustainability reporting
Source: Based on Zenisek 1979
Various levels of management and the board of directors want assurance that the organization has the right processes and controls to link its policy statements to its actual performance. They also want to have confidence that the performance indicators provided in the sustainability report are representative of the organization’s actual performance and that the report does not contain any material errors or omissions which may create legal or reputational problems for the company.
Confidence in Reporting
Assurance of any type provides confidence to the organization, as well as its stakeholders, that the information reported is “reasonably accurate,” honest, and reliable for decision making. We use “reasonably” because the report contains many estimates, and an organization’s sustainability progress can be reported using different standards/guidelines. In financial accounting, the term “faithful representation” is used in a similar manner. As well, the term “assurance” is used rather than audit because an audit is only one procedure used to provide assurance. Assurance is a broad, all-encompassing term that applies to the outcome of various types of reviews or verification processes, some of which are audits. It is helpful to think of assurance techniques on a spectrum indicating degree of rigor, with auditing as the most intensive and periodic checks as the least intensive.
Assurances let stakeholders know that the sustainability report fairly represents a company’s performance, the same as financial assurances (usually called audits) do for the capital providers of publicly traded companies. However, unlike financial audits that have been around for many years and are standardized, assurance providers for sustainability reporting gained promience only since the early 2000s. Assurance providers had to learn how to assure this information by adapting their experience from financial audits. Initially, there were no guidelines available specifically for sustainability assurance, and assurance providers along with standard setting bodies had to develop them. Because assurance statements are new and still changing, not all the statements will have exactly the same information in the assurance statement. Furthermore, many types of organizations in addition to accounting firms provide assurance for sustainability reporting. Therefore, we discuss various approaches to provide assurance in this chapter.
Organizations use assurances in a number of different ways concerning sustainability. Assurances can be provided on the management system itself or any of its various components. Assurance procedures can also confirm that the company calculated its performance indicators in accordance with a certain standard, (e.g., the calculations for GHG emissions follow a certain protocol or standard or that reporting is compliant with the GRI Reporting Standards). Assurances help to determine if employees follow proper procedures and processes to support credible reporting. Internal or external personnel can perform the procedures necessary for assurance depending on the objective. Note the different types of assurances that Apple performed on its processes, performance, and report.
Sustainability in Action: Apple’s Assurances and Review Statements
Apple uses two firms (see the report for more detail of audits and assurances).
Bureau Veritas
Fraunhofer Institute
Are these assurances reliable?
Source: Apple (2018, pp. 62–74)
Internal Versus External Assurances
Both internal and external assurances improve the quality of information. Internal controls and internal audits (internal assurances), independent third-party reviews, and third-party commentaries (external assurances) all help to make information more credible and therefore more useful to the reader. Thus, everyone benefits. Assurances can do the following:
Similar to financial accounting, if a company has completed rigorous internal assurances, then the external assurance is less costly (for financial accounting, the term generally used is internal and external audit). Regarding internal assurances, a department or division within an organization that is knowledgeable about the subject matter usually performs a review or an audit on a sustainability activity that is the responsibility of another department or division. In contrast, an objective third party, knowledgeable about the sustainability aspect but not employed by the organization, performs an external assurance.
Processes for internal assurances are generally proactive and attempt to ensure that there is a system in place to aid in accomplishing objectives and to provide accurate and relevant reporting on the objectives. They also quickly help to identify problems occurring during an activity, such as a data collection process, and before the final sustainability report is prepared. On the other hand, processes for external assurances are generally reactive and identify inadequate reporting systems, errors, inaccuracies, or inadequate performance after an activity has occurred, such as after a report is prepared but before it is made available to the stakeholders. For an excellent comparison of internal versus external assurances regarding financial reporting, see Factsheet: Internal Audit versus External Audit (IIA Australia 2018).
Internal Assurance: Internal Controls and
Internal Audits
There are many types of internal assurances. We learn two main categories and their relationship: internal controls and internal audits. Internal personnel work with both. Generally, internal assurances (both internal controls and internal audits) come from the internal auditing function within the company. For financial reporting, internal auditors are professionally trained in controls and audits. For sustainability controls or reporting, often a multidisciplinary team is created. An internal auditor who is professionally trained in auditing heads the team and other members from technical areas work together to help the board of directors and management with any of the following duties (IIA, n.d.):
See Table 7.1 for a partial list of examples of the different types of internal assurances that Samsung uses. Note that the company clearly assigns responsibility for each of the assurances.
Table 7.1 Samsung: internal responsibilities for assurances
Category |
Management system |
Mandate |
Responsibility units |
Compliance |
Compliance Program Management System (CPMS1) |
Reporting of compliance violations, help desk, self-initiated reviews, posting of manuals and guides |
Corporate Compliance Team, Global Privacy Office |
Anti-corruption |
Ethics Management System |
Posting of the Management Principles and Code of Conduct, reporting of corrupt practices |
Audit Team |
Personal Information Security |
Privacy Legal Management |
Personal data protection management of products and services |
Global Privacy Office |
Intellectual Property Rights |
IT4U |
Ban on the illegal use of software |
IT Strategy Group |
Labor Relations |
GHRP Portal |
Compliance with labor standards, posting of HR regulations |
HR Team |
Environmental compliance |
Global Environment, Health and Safety System(G-EHS3) |
Environment & Safety of workplaces and products |
Global EHS Center |
Trade |
Conflict Minerals Management System(TCS4) |
Strategic resources, management of conflict minerals use |
Corporate Compliance Team |
Samsung Electronics, 2018, 103
Internal Controls. Recall that a management system consists of the entire set of policies, procedures, monitoring, and tracking mechanisms. Sometimes the term management system is expanded to management planning and control system to be more specific about what it does. Management systems and their controls can be specified by an external organization such as ISO 14001. Nevertheless, they must be developed internally and customized to meet the organization’s needs. Internal controls can be both formal and informal. Commitment and capability tend to be informal controls and therefore more difficult for an auditor to determine if they are at the right levels. Regardless, they are extremely important, and certain types of controls can help support commitment and capability (Chapter 4). We briefly review the controls related to commitment and capability. Two very different companies, an energy company and a retail running shoe and apparel manufacturer, indicate the importance of internal controls for performance and reporting.
Sustainability in Action: ConocoPhillips and Nike
ConocoPhillips reports (ConocoPhillips, 2017, p. 53):
Our internal quality assurance process begins at the business unit level. This process includes
Nike reports: (Nike 2016/17, p. 2)
Based upon a thorough review by NIKE’s internal audit function, considerable progress has been made to NIKE’s sustainability data processes over the past several fiscal years, including but not limited to:
The review also identified opportunities to further improve systems and controls around sustainability reporting. NIKE will continue to evolve and address information systems in light of this goal.
Both companies identified the importance of governance, not only at the highest levels (Nike) but also throughout the organization’s business units (ConocoPhillips). Part of governance is assigning responsibility. However, ensuring accountability is much broader than just a formal assignment of job duties. Management establishes an informal culture of accountability within an organization by developing high expectations that employees will make ethical decisions even when formal controls cannot be established or performance monitored. Some controls that support accountability follow:
Part of the internal auditor’s responsibilities is to identify control procedures necessary in various business units and help the employees in the unit to design and implement the procedures. The auditor helps the employees take responsibility for the continued use and maintenance of the controls to achieve the desired objectives. This approach helps with capability and commitment of the employees. Then, periodically the auditor will return to perform a review to determine if the controls are still appropriate and working.
Internal Audits. An internal audit is a more formal periodic and systematic review to determine “how well risks are managed including whether the right processes are in place, and whether agreed procedures are being adhered to” (IIA 2019). Internal auditors perform internal audits. They are employees of the organization being audited. An auditor should be independent of the subject matter he or she is auditing. As an employee of an organization that is receiving an audit, the internal auditor’s independence is compromised to some degree. The auditors might hesitate to report that controls need to be improved for fear of losing their jobs. However, direct lines of reporting to top management and/or to the board of directors create more independence for the internal auditors. Internal auditors provide many benefits to an organization, especially early identification of potential problems; consequently, it benefits an organization to have a team of auditors working for the organization full time.
Internal auditors follow a set of professional standards to perform a review and provide an opinion on the subject matter of the audit. Similar to setting up internal controls, a multidisciplinary audit team, headed by a professionally trained auditor, will carry out the audit. Technical expertise is also needed. For example, the auditor might not be familiar with the regulations and calculations specific to GHG emissions. Therefore, an engineer with experience on emissions calculations will likely join the team. Teams of auditors review internal controls to ensure they are still appropriate if the operating environment has changed. They also check to ensure that employees are following the controls that are in place and not by-passing them. The team will make recommendations for improvements if they identify weaknesses.
Sustainability in Action: Air France/KLM: Internal Audit
A series of female-male comparative indicators have been included in the steering of human resources policies and management processes (training, careers, quality of life in the workplace, remuneration …). These indicators are monitored annually within the framework of an audit carried out with each division to make sure women and men are treated equally.
Source: Air France/KLM (2017, p. 84)
Similar to an external assurance provider, internal auditors can review certain indicators in a sustainability report, determine if the sustainability indicator conforms to certain standards such as Global Reporting Initiative (GRI), or review an entire report for accuracy. Because external assurances are costly, often an organization will start with an internal audit of its report before it engages an external assurance provider. If an organization’s internal controls and information systems are well maintained, as evidenced by the internal audit team, the external assurance will be less costly and the likelihood is greater that the assurance provider will not find any major weaknesses.
External Assurances: Third-Party Assurance and Commentaries
This section covers two types of external assurance: those provided by third-party providers and those provided by stakeholders. External assurances are performed by independent third parties who are not employees of the organization. Firms that provide external assurances will typically create a team of specialists with expertise in a variety of areas, such as auditing, engineering, science, and business. Because sustainability topics are multidimensional, the assurance team must have expertise in auditing as well as technical expertise on various aspects of the environment and social dimensions, similar to internal audits. Third-party commentary or stakeholder panels are also used by companies to provide feedback on performance, which is useful both to the organization and to the reader of the report. However, their comments are often not published in the sustainability report.
Third-Party Assurance
The role of external assurances in sustainability reporting can be confusing when compared to the role of audits in financial reporting because there are several different types of reviews performed by professional assurance providers, whereas a financial audit is the most common assurance on the financial statements. Reviews performed by assurance providers on sustainability reporting are either limited or reasonable assurance. They can also be general (on the entire report) or specific (on a few indicators or a certain part of the report). As well, the assurance statements are not standardized like financial audits. Therefore, the reader must review the assurance statement carefully. This section helps to recognize several characteristics that are normally found in third-party reviews/assurances.
The International Standard on Assurance Engagements (IAASB ISAE 3000 Revised 2013, p. 7) defines an assurance engagement for the following purpose:
a practitioner is to obtain sufficient appropriate evidence in order to express a conclusion designed to enhance the degree of confidence of the intended users other than the responsible party about the subject matter information …
What does all that mean?
Therefore, for external assurance an organization engages an independent third party (not an employee of the organization) to perform a review and then to make a statement as to the accuracy of the information provided or the adherence to some standard. The assurance provider (the independent third party) then provides an opinion, along with other information, in an assurance statement. Table 7.2 contains a list of characteristics that are generally provided in assurance statements. Not all assurance statements will contain all characteristics, but the more details that are provided, the greater is the ability to judge the breadth and depth of the review and the quality of the assurance.
Table 7.2 Characteristics of independent assurance statements
Characteristic |
Answers the Question(s) |
Specific addressee |
To whom is the assurance provided? |
Name of the assurance provider |
Who performed the review? |
Extent of the review that was performed |
Was it limited or reasonable? |
Responsibilities of organization receiving assurance |
What does the assurer assume the organization did to prepare the report? |
Scope of the review/responsibilities of assurer |
Which indicators or operations were assured? |
Limitations or exclusions |
Were any activities not included? |
Procedures used or work performed |
What was done during the review? |
Standard(s) used to perform the review |
Were professional or well-accepted standards followed to ensure a high-quality review? |
Standard(s) used to assess the reporting |
Did the review determine if the report adheres to a standard or a mix of standards? |
Independence of the assurer |
How objective is the assurer? |
Qualifications of the assurer |
Does the assurer have the experience and education to provide the review? |
Opinion or conclusions |
What decision was made upon completion? |
Observations/recommendations for improvement |
Were suggestions made for improvement? |
Organization’s response |
Did the organization respond to the observations/recommendations? |
Several of these characteristics deserve further attention. The following sections provide additional information on the levels of assurance provided (limited and reasonable), assurance provider and expertise, independence, standards used, and scope.
Limited and reasonable assurance. Most assurance standards offer two levels of assurance:
The level of assurance provided, whether limited or reasonable, will differ depending on the time and effort required to complete the assurance procedures. A higher level of assurance requires more investigation to check for accuracy of the information and therefore is more costly. The assurance provider checks more documents and conducts more interviews with management and staff to express reasonable rather than limited assurance. (For more information on this topic, see ISAE 3000 Revised 2013 or GRI’s The external assurance of sustainability reporting 2013.) Table 7.3 explains the differences in limited versus reasonable assurances.
Table 7.3 External assurance: Limited versus reasonable assurance
Characteristic |
Limited Assurance |
Reasonable Assurance |
Other possible names |
Negative Assurance |
Positive Assurance |
Wording used |
“nothing has come to our attention that would cause us to believe the information is not accurate in all material aspects …” |
“in our opinion, the reported information has been presented fairly in all material aspects …” |
Procedures performed |
Identifying areas of risk of misstatement; assessing the data management processes and controls; performing procedures such as interviews and analytic testing sufficient to provide limited assurance. |
The same procedures for limited assurance but more thorough and detailed checking of the effectiveness of the related controls to provide reasonable assurance of the reliability of the results. |
Scope of use |
The entire report, all indicators, or a set of selected indicators. |
Assurance Provider and Expertise. In practice, many different types of organizations perform reviews to provide assurance statements; therefore, not all assurances statements are the same. Most assurances are provided by public accounting firms, but all of the following types of organizations can provide assurances:
Because each organization has its preferred method of assurance, a reader must know how to determine the underlying value of the assurance and thus the credibility of the information in the report. Each assurance provider will vary on the following characteristics:
Table 7.4 provides five well-known companies and the name of the assurance provider for their stand-alone sustainability report.
Table 7.4 Sample of companies and their assurance providers
Company |
Assurance Provider |
BMW |
PwC |
Coca-Cola |
E&Y |
|
Cameron-Cole |
Nestlé |
Bureau Veritas |
Royal Dutch Shell |
LRQA (Lloyd’s Register Quality Assurance) |
Independence. If a fair and unbiased opinion is to be provided on the reported information, the assurance provider must be objective. Because objectivity is difficult to determine, an organization attempts to select a provider who is independent of the organization being serviced. There are several ways in which an assurance provider’s independence can be tainted, but here are three key examples:
Auditing Guidelines/Standards. Several professional bodies now provide guidelines or standards to use when reviewing sustainability reporting. The following have been used recently to provide assurance (with the ISAE guideline as the most used):
In addition to these general review standards, professional reviewers will also use specific guidelines that apply to a specific industry or a specific aspect of sustainability (e.g., GHG emissions in the mining industry). Here is a sample of some of the other standards/protocols/principles that have been used to provide assurance engagements recently.
Scope. Some assurances are general and cover all indicators in addition to the narrative in the report. Other assurances cover only specific indicators or certain aspects of the report. It is essential to read the statement carefully to determine the exact scope of the assurance engagement. The assurance provider and the organization negotiate a contract to determine which services will be provided in the assurance engagement. As the cost of the assurance engagement is dependent on the sophistication of the organization’s information systems, often an organization will opt for assuring only those indicators that come from its most developed information systems or that are of most importance to its stakeholders. Therefore, the indicators that are assured may differ from one organization to the next. Some assurance engagements also determine if the report is prepared according to a set of guidelines, such as the GRI Reporting Standards.
Both limited and reasonable assurances can be carried out either on the entire set of reported indicators in a report or on a narrower set of selected indicators. If a narrower set is assured, the organization will provide some indication, such as a list, mark, or star, to clarify the level of assurance for each indicator. Table 7.5 provides examples of the types of assurances (limited or reasonable; general or specific) that appear in a sample of companies’ sustainability reports.
Table 7.5 Third-party reviews: Limited and reasonable, general, and specific
Organizations will choose the type of assurance that is most appropriate for their state of reporting or that is required by regulation (e.g., in some jurisdictions, companies are required to have their greenhouse gas emissions reporting assured to a level of limited or reasonable). |
||
Type of Assurance |
Company Example |
Assurance Details |
Limited Assurance: General |
Kesko, headquartered in Finland, operates an extensive store network in eight countries. |
Limited assurance provided on the performance indicators (economic, social, and environmental) disclosed in its Annual Report. The review also included checking the report against the GRI Reporting Standards and the AA1000 AccountAbility Principles. |
Limited Assurance: Specific |
Vodafone, a multinational telecommunications conglomerate, is headquartered in Berkshire, United Kingdom. |
Limited assurance provided on information contained in an appendix in the company’s report. Specific indicators assured include gender diversity in employment, energy use, GHG emissions, supplier site assessments, factory workers surveyed, fatalities, lost-time incidents, and employing young adults. |
Reasonable Assurance: General |
This type of assurance is not common. Unable to find a company that had its entire report verified to a reasonable assurance level. |
|
Reasonable Assurance: Specific |
Exxon Mobil, an international oil and gas company, is headquartered in the United States. |
Reasonable assurance provided only on the integrity of its processes for determining material topics and for reporting based on two industry guidelines. The accuracy of data and information reported was not verified. |
Both Reasonable and Limited Assurance: Specific |
Baxter, an international provider of health care solutions, is headquartered in the United States. |
Reasonable assurance provided on product innovation, employee health and safety, GHG emissions, and communities. Limited assurance on procurement and logistics. |
Although the popularity of assurance for sustainability reporting is growing, it is still not widespread. Here are a few statistics regarding external assurance.
Sustainability in Action: External Assurance
For a recent sample of the largest publicly traded companies in Europe and North America providing sustainability reports, Braam and Peeters (2018) report the following:
Third-Party Commentaries
External assurance providers are engaged, for the most part, to determine if the quantitative information in the report is reasonably accurate. The assurance provider follows a rigorous, repeatable methodology to reach a conclusion about the accuracy of the reported information and generally does not comment on whether the performance or reporting is satisfactory/unsatisfactory or what improvements to make. Nevertheless, some assurance providers are providing brief observations/recommendations on the performance or the report content in the assurance statement, which is often found at the end of the report.
Both feedback from the assurance provider and from stakeholders help to determine if the organization’s performance is in the right place (above average, average, and below average), whereas a review of the indicators by an assurance provider generally only assures the accuracy, with no comment on the level of performance. To gather feedback on performance in a two-way conversation, some organizations engage their stakeholders to make suggestions for improvement both in sustainability performance and reporting. Management at various levels review these suggestions to determine the feasibility of implementing them. There are many considerations regarding assurances for sustainability reporting. It is essential that a reader carefully reviews the report to determine the level of confidence in the information provided.
Outotec uses both stakeholders and its limited assurance engagement to receive feedback on its performance and reporting.
Sustainability in Action: Outotec
Outotec, headquartered in Finland, develops leading technologies and services for natural resource use. |
Stakeholders’ Feedback: We have also discussed our sustainability reporting with some investors, and their feedback has been considered when planning the report content. We have also asked our employees for feedback about the report, future themes and topics of interest in sustainability communications, using our internal social media. |
Limited Assurance Engagement Feedback: Although the assurance provider offered several comments on both report content and performance, only part of the commentary is provided here (see the report itself for more detail). Performance In general, Outotec has prepared the Sustainability Report 2018 in accordance with GRI Reporting Principles. The report is a balanced, consistent and comprehensive representation of the company operations and performs well in terms of quality requirements set for reporting. In addition, the management approach has been developed in a structural manner enabling better understanding of managing the material topics. Report content The report presents the sustainability context of the company operations. It could be further developed by presenting the company performance in reference to broader sustainability goals and context, e.g., by elaborating the long-term perspective in terms of strategy, risks and goals. Source: Outotec (2018, 16, p. 62). |
Reflection: Assurances
There are many variables to consider regarding assurance quality of sustainability reports. You are a consultant for a small company that is considering having assurance done on its report. What do you tell the firm?
Key Takeaways
We seek to continually improve the audit functions and internal controls of our corporate management. Our aim is to create a management approach that goes beyond compliance and reflects the perspectives of our stakeholders.
—ASICS (2017, p. 7)
13.58.82.79