CHAPTER 7

Assurances

Main purpose: Comprehend the role of assurances in sustainability performance and the reporting of sustainability performance.

Objectives: After reading this chapter, you should be able to do the following:

• • Identify assurances that give confidence to stakeholders that organizations are advancing their sustainability performance and that their reporting is an accurate reflection of their activities.
• • Recognize the differences, strengths, and weaknesses between internal and external assurances.
• • Compare limited and reasonable assurance characteristics.
• • Interpret various characteristics of an assurance report found in a sustainability report.

There can be no great courage where there is no confidence or assurance, and half the battle is in the conviction that we can do what we undertake.

—Orison Swett Marden

Thus far, we have reviewed all the major dimensions of the sustainability model for organizations. We started with the stakeholders and their input into the policy of an organization. Organizations also participate in multi-stakeholder groups to develop a tight link between stakeholders’ needs and desires and their policy. Then, we moved to the management systems, which develop a tight link between the organization’s policy and its performance. The next dimension we studied was performance in which we learned approaches to ensure credibility in the eyes of both internal and external stakeholders through selection of appropriate indicators. To develop a tight link between the organization’s performance and stakeholders’ needs and desires, organizations provide many forms of sustainability reporting. Our final topic is assurance, which often pertains to the accuracy of the performance metrics used for sustainability reporting. However, management might decide to provide more certainty to other aspects of the dimensions in the model for sustainability. Assurances help to give confidence that the linkages illustrated in the model for organizational sustainability are strong and working properly. (See Figure 7.1.)

Various levels of management and the board of directors want assurance that the organization has the right processes and controls to link its policy statements to its actual performance. They also want to have confidence that the performance indicators provided in the sustainability report are representative of the organization’s actual performance and that the report does not contain any material errors or omissions which may create legal or reputational problems for the company.

Confidence in Reporting

Assurance of any type provides confidence to the organization, as well as its stakeholders, that the information reported is “reasonably accurate,” honest, and reliable for decision making. We use “reasonably” because the report contains many estimates, and an organization’s sustainability progress can be reported using different standards/guidelines. In financial accounting, the term “faithful representation” is used in a similar manner. As well, the term “assurance” is used rather than audit because an audit is only one procedure used to provide assurance. Assurance is a broad, all-encompassing term that applies to the outcome of various types of reviews or verification processes, some of which are audits. It is helpful to think of assurance techniques on a spectrum indicating degree of rigor, with auditing as the most intensive and periodic checks as the least intensive.

Assurances let stakeholders know that the sustainability report fairly represents a company’s performance, the same as financial assurances (usually called audits) do for the capital providers of publicly traded companies. However, unlike financial audits that have been around for many years and are standardized, assurance providers for sustainability reporting gained promience only since the early 2000s. Assurance providers had to learn how to assure this information by adapting their experience from financial audits. Initially, there were no guidelines available specifically for sustainability assurance, and assurance providers along with standard setting bodies had to develop them. Because assurance statements are new and still changing, not all the statements will have exactly the same information in the assurance statement. Furthermore, many types of organizations in addition to accounting firms provide assurance for sustainability reporting. Therefore, we discuss various approaches to provide assurance in this chapter.

Organizations use assurances in a number of different ways concerning sustainability. Assurances can be provided on the management system itself or any of its various components. Assurance procedures can also confirm that the company calculated its performance indicators in accordance with a certain standard, (e.g., the calculations for GHG emissions follow a certain protocol or standard or that reporting is compliant with the GRI Reporting Standards). Assurances help to determine if employees follow proper procedures and processes to support credible reporting. Internal or external personnel can perform the procedures necessary for assurance depending on the objective. Note the different types of assurances that Apple performed on its processes, performance, and report.

Internal Versus External Assurances

Both internal and external assurances improve the quality of information. Internal controls and internal audits (internal assurances), independent third-party reviews, and third-party commentaries (external assurances) all help to make information more credible and therefore more useful to the reader. Thus, everyone benefits. Assurances can do the following:

• • enhance the readers’ and the organization’s confidence about the reported information;
• • lead to better decisions or judgments about performance;
• • allow others, not preparing the report, to provide valuable ideas on the interpretation and analysis of the report indicators; and
• • provide the impetus to improve sustainability performance.

Similar to financial accounting, if a company has completed rigorous internal assurances, then the external assurance is less costly (for financial accounting, the term generally used is internal and external audit). Regarding internal assurances, a department or division within an organization that is knowledgeable about the subject matter usually performs a review or an audit on a sustainability activity that is the responsibility of another department or division. In contrast, an objective third party, knowledgeable about the sustainability aspect but not employed by the organization, performs an external assurance.

Processes for internal assurances are generally proactive and attempt to ensure that there is a system in place to aid in accomplishing objectives and to provide accurate and relevant reporting on the objectives. They also quickly help to identify problems occurring during an activity, such as a data collection process, and before the final sustainability report is prepared. On the other hand, processes for external assurances are generally reactive and identify inadequate reporting systems, errors, inaccuracies, or inadequate performance after an activity has occurred, such as after a report is prepared but before it is made available to the stakeholders. For an excellent comparison of internal versus external assurances regarding financial reporting, see Factsheet: Internal Audit versus External Audit (IIA Australia 2018).

Internal Assurance: Internal Controls and
Internal Audits

There are many types of internal assurances. We learn two main categories and their relationship: internal controls and internal audits. Internal personnel work with both. Generally, internal assurances (both internal controls and internal audits) come from the internal auditing function within the company. For financial reporting, internal auditors are professionally trained in controls and audits. For sustainability controls or reporting, often a multidisciplinary team is created. An internal auditor who is professionally trained in auditing heads the team and other members from technical areas work together to help the board of directors and management with any of the following duties (IIA, n.d.):

• • aid in the identification of material environmental and social risks and suggest how risks can be mitigated.
• • determine if controls, processes, and procedures are adequate to support the objectives.
• • provide insight for achieving objectives more efficiently and effectively.
• • ensure accurate and relevant sustainability reporting through appropriate indicators.
• • determine compliance with policies, commitments, laws, and regulations.

See Table 7.1 for a partial list of examples of the different types of internal assurances that Samsung uses. Note that the company clearly assigns responsibility for each of the assurances.

Internal Controls. Recall that a management system consists of the entire set of policies, procedures, monitoring, and tracking mechanisms. Sometimes the term management system is expanded to management planning and control system to be more specific about what it does. Management systems and their controls can be specified by an external organization such as ISO 14001. Nevertheless, they must be developed internally and customized to meet the organization’s needs. Internal controls can be both formal and informal. Commitment and capability tend to be informal controls and therefore more difficult for an auditor to determine if they are at the right levels. Regardless, they are extremely important, and certain types of controls can help support commitment and capability (Chapter 4). We briefly review the controls related to commitment and capability. Two very different companies, an energy company and a retail running shoe and apparel manufacturer, indicate the importance of internal controls for performance and reporting.

Both companies identified the importance of governance, not only at the highest levels (Nike) but also throughout the organization’s business units (ConocoPhillips). Part of governance is assigning responsibility. However, ensuring accountability is much broader than just a formal assignment of job duties. Management establishes an informal culture of accountability within an organization by developing high expectations that employees will make ethical decisions even when formal controls cannot be established or performance monitored. Some controls that support accountability follow:

• • electing members to the Board that have sustainability values and expertise;
• • structuring the organization to give prominence to units responsible for sustainability;
• • building rigorous systems to collect data that determines progress on objectives;
• • ensuring sustainability indicators are given equal importance to financial indicators.

Part of the internal auditor’s responsibilities is to identify control procedures necessary in various business units and help the employees in the unit to design and implement the procedures. The auditor helps the employees take responsibility for the continued use and maintenance of the controls to achieve the desired objectives. This approach helps with capability and commitment of the employees. Then, periodically the auditor will return to perform a review to determine if the controls are still appropriate and working.

Internal Audits. An internal audit is a more formal periodic and systematic review to determine “how well risks are managed including whether the right processes are in place, and whether agreed procedures are being adhered to” (IIA 2019). Internal auditors perform internal audits. They are employees of the organization being audited. An auditor should be independent of the subject matter he or she is auditing. As an employee of an organization that is receiving an audit, the internal auditor’s independence is compromised to some degree. The auditors might hesitate to report that controls need to be improved for fear of losing their jobs. However, direct lines of reporting to top management and/or to the board of directors create more independence for the internal auditors. Internal auditors provide many benefits to an organization, especially early identification of potential problems; consequently, it benefits an organization to have a team of auditors working for the organization full time.

Internal auditors follow a set of professional standards to perform a review and provide an opinion on the subject matter of the audit. Similar to setting up internal controls, a multidisciplinary audit team, headed by a professionally trained auditor, will carry out the audit. Technical expertise is also needed. For example, the auditor might not be familiar with the regulations and calculations specific to GHG emissions. Therefore, an engineer with experience on emissions calculations will likely join the team. Teams of auditors review internal controls to ensure they are still appropriate if the operating environment has changed. They also check to ensure that employees are following the controls that are in place and not by-passing them. The team will make recommendations for improvements if they identify weaknesses.

Similar to an external assurance provider, internal auditors can review certain indicators in a sustainability report, determine if the sustainability indicator conforms to certain standards such as Global Reporting Initiative (GRI), or review an entire report for accuracy. Because external assurances are costly, often an organization will start with an internal audit of its report before it engages an external assurance provider. If an organization’s internal controls and information systems are well maintained, as evidenced by the internal audit team, the external assurance will be less costly and the likelihood is greater that the assurance provider will not find any major weaknesses.

External Assurances: Third-Party Assurance and Commentaries

This section covers two types of external assurance: those provided by third-party providers and those provided by stakeholders. External assurances are performed by independent third parties who are not employees of the organization. Firms that provide external assurances will typically create a team of specialists with expertise in a variety of areas, such as auditing, engineering, science, and business. Because sustainability topics are multidimensional, the assurance team must have expertise in auditing as well as technical expertise on various aspects of the environment and social dimensions, similar to internal audits. Third-party commentary or stakeholder panels are also used by companies to provide feedback on performance, which is useful both to the organization and to the reader of the report. However, their comments are often not published in the sustainability report.

Third-Party Assurance

The role of external assurances in sustainability reporting can be confusing when compared to the role of audits in financial reporting because there are several different types of reviews performed by professional assurance providers, whereas a financial audit is the most common assurance on the financial statements. Reviews performed by assurance providers on sustainability reporting are either limited or reasonable assurance. They can also be general (on the entire report) or specific (on a few indicators or a certain part of the report). As well, the assurance statements are not standardized like financial audits. Therefore, the reader must review the assurance statement carefully. This section helps to recognize several characteristics that are normally found in third-party reviews/assurances.

The International Standard on Assurance Engagements (IAASB ISAE 3000 Revised 2013, p. 7) defines an assurance engagement for the following purpose:

a practitioner is to obtain sufficient appropriate evidence in order to express a conclusion designed to enhance the degree of confidence of the intended users other than the responsible party about the subject matter information …

What does all that mean?

• • “a practitioner” is a person or organization who is an independent assurance provider who has no interest in seeing information presented either favorably or unfavorably but rather is neutral.
• • “conclusion designed to enhance the degree of confidence” is usually in the form of a statement (assurance statement) about the accuracy of information and is found in the opinion.
• • “subject matter information” can be all or part of a sustainability report, an information system, an environmental management system, or a process.

Therefore, for external assurance an organization engages an independent third party (not an employee of the organization) to perform a review and then to make a statement as to the accuracy of the information provided or the adherence to some standard. The assurance provider (the independent third party) then provides an opinion, along with other information, in an assurance statement. Table 7.2 contains a list of characteristics that are generally provided in assurance statements. Not all assurance statements will contain all characteristics, but the more details that are provided, the greater is the ability to judge the breadth and depth of the review and the quality of the assurance.

Several of these characteristics deserve further attention. The following sections provide additional information on the levels of assurance provided (limited and reasonable), assurance provider and expertise, independence, standards used, and scope.

Limited and reasonable assurance. Most assurance standards offer two levels of assurance:

• • Limited assurance, sometimes referred to as “negative” assurance (lower level of assurance), often expressed using phrases such as “nothing came to our attention. . .”
• • Reasonable assurance, also referred to as “positive” assurance (higher level of assurance), often expressed using phrases such as “in our opinion, the reported information has been presented fairly…”

The level of assurance provided, whether limited or reasonable, will differ depending on the time and effort required to complete the assurance procedures. A higher level of assurance requires more investigation to check for accuracy of the information and therefore is more costly. The assurance provider checks more documents and conducts more interviews with management and staff to express reasonable rather than limited assurance. (For more information on this topic, see ISAE 3000 Revised 2013 or GRI’s The external assurance of sustainability reporting 2013.) Table 7.3 explains the differences in limited versus reasonable assurances.

Assurance Provider and Expertise. In practice, many different types of organizations perform reviews to provide assurance statements; therefore, not all assurances statements are the same. Most assurances are provided by public accounting firms, but all of the following types of organizations can provide assurances:

• • public accounting firms;
• • certification bodies;
• • technical experts; and
• • specialist firms.

Because each organization has its preferred method of assurance, a reader must know how to determine the underlying value of the assurance and thus the credibility of the information in the report. Each assurance provider will vary on the following characteristics:

• • professional training;
• • use of professional guidelines;
• • rigor of assurance procedures;
• • consistency of service provided.

Table 7.4 provides five well-known companies and the name of the assurance provider for their stand-alone sustainability report.

Independence. If a fair and unbiased opinion is to be provided on the reported information, the assurance provider must be objective. Because objectivity is difficult to determine, an organization attempts to select a provider who is independent of the organization being serviced. There are several ways in which an assurance provider’s independence can be tainted, but here are three key examples:

• • The assuring firm has a financial interest in the reporting organization (e.g., employees of an assuring firm own shares in the reporting organization).
• • The assuring firm is heavily dependent on the reporting organization for income (e.g., a major client) and therefore runs the risk of losing the organization as a client if the results are not positive.
• • The assuring firm is asked to provide assurance on its own work (e.g., the assurance practitioners implement a data management system and then are asked to provide assurance on the data reported via that system).

Auditing Guidelines/Standards. Several professional bodies now provide guidelines or standards to use when reviewing sustainability reporting. The following have been used recently to provide assurance (with the ISAE guideline as the most used):

• • ISAE 3000 published by IAASB (International Auditing and Assurance Standards Board).
• • AA1000AS published by AccountAbility.
• • AICPA AT-C published by the AICPA (American Institute of Certified Public Accountants).

In addition to these general review standards, professional reviewers will also use specific guidelines that apply to a specific industry or a specific aspect of sustainability (e.g., GHG emissions in the mining industry). Here is a sample of some of the other standards/protocols/principles that have been used to provide assurance engagements recently.

• • ISAE 3410—Assurance Engagement on GHG Statements.
• • ISO 14064-3 GHG.
• • The GHG Protocol.
• • Principles of the ICMM (International Council on Mining and Metals).
• • Oil and Gas Industry Guidance on Voluntary Sustainability Reporting (IPIECA/API).
• • Compendium of GHG Emission Estimation Methodologies for the Oil and Gas Industry by American Petroleum Institute (API).

Scope. Some assurances are general and cover all indicators in addition to the narrative in the report. Other assurances cover only specific indicators or certain aspects of the report. It is essential to read the statement carefully to determine the exact scope of the assurance engagement. The assurance provider and the organization negotiate a contract to determine which services will be provided in the assurance engagement. As the cost of the assurance engagement is dependent on the sophistication of the organization’s information systems, often an organization will opt for assuring only those indicators that come from its most developed information systems or that are of most importance to its stakeholders. Therefore, the indicators that are assured may differ from one organization to the next. Some assurance engagements also determine if the report is prepared according to a set of guidelines, such as the GRI Reporting Standards.

Both limited and reasonable assurances can be carried out either on the entire set of reported indicators in a report or on a narrower set of selected indicators. If a narrower set is assured, the organization will provide some indication, such as a list, mark, or star, to clarify the level of assurance for each indicator. Table 7.5 provides examples of the types of assurances (limited or reasonable; general or specific) that appear in a sample of companies’ sustainability reports.

Although the popularity of assurance for sustainability reporting is growing, it is still not widespread. Here are a few statistics regarding external assurance.

Third-Party Commentaries

External assurance providers are engaged, for the most part, to determine if the quantitative information in the report is reasonably accurate. The assurance provider follows a rigorous, repeatable methodology to reach a conclusion about the accuracy of the reported information and generally does not comment on whether the performance or reporting is satisfactory/unsatisfactory or what improvements to make. Nevertheless, some assurance providers are providing brief observations/recommendations on the performance or the report content in the assurance statement, which is often found at the end of the report.

Both feedback from the assurance provider and from stakeholders help to determine if the organization’s performance is in the right place (above average, average, and below average), whereas a review of the indicators by an assurance provider generally only assures the accuracy, with no comment on the level of performance. To gather feedback on performance in a two-way conversation, some organizations engage their stakeholders to make suggestions for improvement both in sustainability performance and reporting. Management at various levels review these suggestions to determine the feasibility of implementing them. There are many considerations regarding assurances for sustainability reporting. It is essential that a reader carefully reviews the report to determine the level of confidence in the information provided.

Outotec uses both stakeholders and its limited assurance engagement to receive feedback on its performance and reporting.

Outotec, headquartered in Finland, develops leading technologies and services for natural resource use.

Stakeholders’ Feedback: We have also discussed our sustainability reporting with some investors, and their feedback has been considered when planning the report content. We have also asked our employees for feedback about the report, future themes and topics of interest in sustainability communications, using our internal social media.

Limited Assurance Engagement Feedback: Although the assurance provider offered several comments on both report content and performance, only part of the commentary is provided here (see the report itself for more detail). Performance In general, Outotec has prepared the Sustainability Report 2018 in accordance with GRI Reporting Principles. The report is a balanced, consistent and comprehensive representation of the company operations and performs well in terms of quality requirements set for reporting. In addition, the management approach has been developed in a structural manner enabling better understanding of managing the material topics. Report content The report presents the sustainability context of the company operations. It could be further developed by presenting the company performance in reference to broader sustainability goals and context, e.g., by elaborating the long-term perspective in terms of strategy, risks and goals. Source: Outotec (2018, 16, p. 62).