For many companies, corporate social responsibility reporting is seen as an approach to doing “things differently.” How do companies gain public trust with sustainability reporting? If companies are going to publish sustainability performance indicators, then the information needs to be credible. Third-party assurance of these reports is one approach to gaining credibility. Accounting firms, specialist consultancies, certification bodies, nongovernmental organizations, stakeholder groups, and academics perform third-party evaluations. Accounting firms, specialist consultancies, and certification bodies provide the vast majority of sustainability related services and third-party assurance. Certification bodies are typically involved with the certification of specific systems (e.g., ISO 9000 or 14001), projects, and measurements (e.g., greenhouse gas emissions) rather than the assurance of a complete report.
Large accounting firms such as Deloitte, Ernst & Young, KPMG, Moss Adams, and PriceWaterhouseCoopers have divisions dedicated to sustainability and climate change services, which includes advisory (e.g., sustainability strategy, implementation), tax (e.g., U.S. renewable energy tax credits), and assurance (e.g., examinations, reviews, agreed-upon-procedures). It is no surprise that the accounting profession is involved in providing assurance for sustainability reports given its long history of providing financial statement audits. The profession offers a variety of attestation services. These attestation engagements include agreed-upon procedures, examinations of nonfinancial information, and reviews and audits of financial reports. Users of financial reports (interim and annual) should be familiar with assurances provided by a review or audit opinion issued by certified public accountants (CPA). A review is performed when limited assurance is needed and is much narrower in scope than an audit. The purpose of an audit of financial statements is to examine management’s assertions that the financial statements are fairly presented in accordance with Generally Accepted Accounting Principles (GAAP). In the audit process, the financial statements are tested for compliance with GAAP, an established set of criteria. To test these assertions, auditors conduct their examination in accordance with the accounting profession’s Generally Accepted Auditing Standards. Audits provide the highest level of assurance for financial statements. The final product is an opinion on the fair presentation of the financial statements. The audit report describes the scope of the work done and the conclusion. The auditing process for financial statements is well established and consistently applied across companies.
Audits of financial statements demonstrate how companies establish a level of trust with users who depend on financial information to make decisions. The legal requirement for public companies to have audited financial statements goes back to legislation passed in the 1930s after the stock market crash of 1929. Before that time, financial reports—if published at all—were not reliable. When financial securities were traded on false or nonexistent information, there were dire consequences for the U.S. stock market and eventually the world economy. The U.S. Securities and Exchange Commission requires publicly held companies to have their annual financial statements audited by independent CPA. As part of its Code of Professional Conduct, the American Institute of Certified Public Accountants (AICPA) stipulates that when independence is required, “A member in public practice should be independent both in fact and appearance when providing auditing and other attestation services.”1 For CPAs, the issue of public trust is at the heart of their profession. For nearly 100 years, the accounting profession has been performing financial statement audits with the trust of the investing public in mind. This is evident in its establishment of standardized auditing standards that binds CPAs’ work.
Although U.S. regulators do not govern sustainability assurance services, globally recognized standards do exist. Assurance standards include the AccountAbility AA1000 Assurance Standard (AA1000AS, 2008), the International Auditing and Assurance Standards Board (IAASB) International Standards on Assurance Engagements (ISAE) 3000, and the AICPA Attestation Standards (AT 101, AT201, and AT601).
The AA1000AS (2008) standard addresses the requirements for performing sustainability assurance with a focus on the organization’s responsiveness and future performance.2 Nonaccounting firms tend to follow this standard. It was developed by AccountAbility, an international think tank and consulting firm specializing in advisory services. The standard emphasizes the significant interests of the stakeholders by finding omissions or misrepresentations in the report as a whole that could affect the behavior of intended users of the report. Using this standard, the assurance provider gives assurance on the extent and type of adherence to the three AA1000 AccountAbility Principles Standards (AA1000APS) 2008. These principles are the Foundation Principle of Inclusivity, the Principle of Materiality, and the Principle of Responsiveness. Inclusivity addresses the issue of including stakeholders in developing a strategy for sustainable development, while materiality covers determining the important issues for an organization and its stakeholders. Responsiveness involves how the organization responds to the important issues that pertain to sustainability performance.
The ISAE 3000 standard provides principles and procedures for accounting professionals performing all assurance engagements other than historical financial information audits or reviews, which are covered by the International Standard on Auditing (ISA) and International Standard on Review Engagements. The IAASB, an independent standard-setting body that operates under the auspices of the International Federation of Accountants, issued ISAE 3000.3 It specifies an approach and procedures to be followed to be in compliance with professional assurance standards and codes of conduct. The ISAE 3000 standard states that assurance engagements can be conducted for (a) environmental, social, and sustainability reports; (b) information systems, internal control, and corporate governance processes; and (c) compliance with grant conditions, contracts, and regulations. ISAE 3000 provides guidance on evaluating ethical requirements, maintaining quality control, accepting and planning engagements, acquiring work of an expert, obtaining evidence, documenting the engagement, and preparing the assurance report. Effective on or after September 30, 2013, ISAE 3410 has been issued to cover assurance on greenhouse gas statements.
The Attest Engagements AT Section 101 (AT 101) standard, developed by the AICPA and used by CPAs in the United States, binds CPAs when they are conducting assurance services other than the audit and review of financial statements. Assurance services such as examinations and reviews for sustainability reporting come under this category for CPAs. Examinations are considered a high level of assurance because they involve search and verification procedures, such as observations, inspections, and confirmations. The resulting assurance report states whether or not the information is fairly presented, in all material aspects, based on the criteria identified. The examination report basically states whether the company has applied the reporting criteria appropriately. For example, if the company used the Global Reporting Initiative (GRI) sustainability reporting framework, the CPA’s report says whether or not they followed the GRI framework in presenting the information.
Reviews of sustainability reports represent a moderate (or limited) level of assurance because the procedures are limited to inquiries of key company personnel and analytical procedures (e.g., comparisons of data to prior periods, forecasts, and expected relationships). Reviews are not considered opinions on the fair presentation, and the wording in the report demonstrates this. Review assurance reports state whether nothing came to the attention of the auditors that would make them believe that the information is not fairly presented, in all material aspects, in conformity with the criteria.
The AT 101 standard stipulates general standards, standards of fieldwork, and standards of reporting for when accountants are engaged to do examinations and review. The general standards address what constitutes adequate training and proficiency, knowledge of the subject matter, independence, and due professional care. Standards of fieldwork include how to plan and supervise these engagements along with how to obtain sufficient evidence to issue a conclusion. Reporting standards cover the content of the assurance report. These include stating the subject matter or the assertion being reported on, a statement about the character of the engagement in the report, and the CPA’s conclusion about the subject matter in relation to the criteria against which it was evaluated. The CPA is obligated to state all significant reservations about the engagement, the subject matter, and, if applicable, the assertion in the report. If the report is restricted to certain users, the standard specifies what special wording is needed to convey the restrictions.
CPAs can be hired for other than examinations and reviews, such as attestation to agreed-upon procedures and compliance. The AT201 standard covers agreed-upon procedures, which is when a CPA is engaged by a client to issue a report of findings based on specific procedures performed on subject matter. An example is the confirmation of specific information with third parties. AT601 provides guidance for a client’s compliance with specified laws, regulations, rules, contracts, or grants or the effectiveness of a client’s internal control over compliance with specified requirements. An attest engagement conducted in accordance with AT201 and AT601 must comply with the general, fieldwork, and reporting standards in AT101.
The AICPA Auditing Standards Board is considering developing guidance for review-level engagements that addresses greenhouse gas statements. Another area being considered by the AICPA Assurance Services Executive Committee is the development of assurance, advisory guidance, or both to help members address an emergence of sustainability reporting and assurance requirements stemming from supply chain vendor code of conduct requirements and other certification requirements. Big retail organizations are fueling demand for these services by requiring their current and prospective suppliers to provide reporting and third party assurance on their environmental, social, and corporate governance practices.
Recent studies of U.S. companies issuing sustainability reports show that there is an increasing trend. For companies in the early stages of reporting, the state of their supporting records and information systems may be inadequate for assurance. As companies refine their information systems and reports and stakeholders demand more information, they will see the need for assurance. As more people use sustainability information to make decisions, the economic implications of using this information are increasing. Credibility of the information becomes crucial as the information is publicly presented.
If assurance is an investment in establishing credibility for sustainability reports, what is the return on investment (ROI)? The answer depends on what a company hopes to gain from the process of reporting and assurance. A quantifiable ROI might not be calculable because many of the benefits are qualitative and have long-term impacts. Risk mitigation is one example. If the sustainability report process enables companies to focus on being active in mitigating economic, environmental, and social risks, companies can be more resilient when responding to crises. For example, without a dedicated approach to tracking and eliminating slave labor in their factories or supply chain, companies can be caught unable to respond in an appropriate and timely fashion to the discovery of such instances. Being less able to respond to the problem means being less in control of the narrative of events. Another benefit is that sustainability reports and assurance can be a product differentiator. The CDP ratings of companies are using the assurance of greenhouse gas emissions. If assurance on these reports provides differentiation between companies, credible information has tremendous value.
Why might assurance reports from nonaccounting firms seem more informative than those produced by accounting firms? Accounting firms are bound by professional standards that cover report content and are consistent across similar engagements. The assurance report form and content are based on those standards similar to those for financial statement engagements. There are three standard paragraphs, which include an introduction, the scope of work, and a conclusion. In both financial statement audits and nonfinancial attestation engagements, accounting firms provide detailed recommendations for improving processes and operations in a “management letter,” which is not made public. These letters are viewed as internal management tools that are not necessarily useful to external users because of the level of detail about internal controls, processes, and so on. Nonaccounting assurance firms are not bound by specific standards that guide their work and report content. Their report forms can vary depending on the requests of their clients.
How should a company choose its assurance provider? Company officials should decide what they want the sustainability report and assurance to provide. It should not be viewed as a commodity, because one size does not fit all companies. Companies need to discuss their needs with various providers and assess what is appropriate for their sustainability journey. Sustainability reporting and assurance is evolving as the demand for report content and format are changing. Many reports are freestanding, but the trend is toward integrated reporting, which has sparked the interest of many preparers and users.
How much do reporting and assurance services cost? Pricing for these sustainability reporting and assurance services depends on what is provided and by whom. Companies need to assess what they want and which provider meets their needs. There are many important questions to ask before deciding which firm is the right one. What are the provider’s methods for delivering assurance? Are their methods rigorous and understandable? Which provider is likely to address their long-term needs? How does the future of reporting fit into their plans?
Can assurance of sustainability reports counter charges of “greenwash?” For negative actions that are covered up in a sustainability report, an assurance on the report lessens the likelihood that a misstatement would be missed. If the information in a sustainability report is geared to promoting only a company’s positive actions, the answer is no. An assurance report would only address the items in the report and not necessarily the items omitted. A globally standardized reporting framework could address this issue.
Achieving sustainability is a multifaceted task, one that is dynamic and requires deliberate assessment. To get the most out of reporting and assurance, companies need to become educated on the process, the providers, and the outcomes. One way is to look to other firms’ reports and their successes. Another is to solicit information from providers about what they can do for the company. If done with the intention of improving operations, building their brand, mitigating risks, and communicating with stakeholders, companies can benefit from this close examination of their operations as they plan for the future.
The GRI supports the use of internal and external approaches to bolster the credibility of sustainability reports. Internal auditing and controls can provide some degree of assurance about the quality of the information being produced. Because internal methods are not sufficient, external assurance can be obtained from professional assurance providers, stakeholder panels, and other external parties. Regardless of whether internal or external methods are used, the GRI recommends that competent individuals or groups perform the evaluation. Professional standards or other systematic methods that provide evidence can be used. The GRI defines external assurance as a report on the quality of the sustainability report being reviewed and information in the report. The expectation is that the conclusions of an assurance evaluation are to be published. The GRI makes a distinction between external assurance and compliance assessments (or performance certifications). The latter is an assessment on the level of performance.
The GRI specifies important attributes for external assurance of reports that are constructed under the GRI Reporting Framework. First, external groups or individuals conducting the assurance should be properly trained in assurance procedures and knowledgeable of the matter being assessed. Second, the assurance procedures should be defined, documented, and based on evidence. Third, the report should consider the reasonableness and fairness of the organization’s performance. This includes correctness of the data as well as an overall evaluation of the content. Fourth, assurance providers should be in a position of independence from the organization. Relationships with the organization should be ones that do not preclude the assurance providers from rendering an independent and impartial conclusion. Fifth, the report should state the degree to which the report has applied the GRI Reporting Framework with regard to the conclusions of the report. The final attribute is that a written opinion or conclusion be available to the public with an assertion about the organization’s relationship to the assurance provider.
International Organization for Standardization Standard 14001—Environmental Management Systems
In addition to having its sustainability report evaluated, an organization can have the environmental dimension of their operations assessed for performance quality. For example, environmental management systems (EMS) can be certified in accordance with international standards by certification bodies. ISO 14001, the international standard for EMS, is becoming increasingly popular among organizations that want to exert more control over their environmental impacts. ISO 14001 was designed to help an organization to identify, evaluate, and continually improve an organization’s products, services, and activities that affect the environment. In effect, it helps with the implementation of an EMS and allows for an EMS to be certified by an outside party. The standard was initially issued in 1996, and it was revised in 2004. There are other standards in the environmental series that are guidelines to address the development and implementation of EMS, audit program review and assessment material, labeling issues, performance targets and monitoring, and life cycle issues. ISO 14001 is the only one in the series that can be certified.
The Benefits of ISO 14001
The ISO 14001 certification demonstrates that an organization has met an international standard for establishing and maintaining its EMS. This provides an organization with a systematic approach to monitor their resource and energy usage so they can reduce their waste. A reduction in waste can reduce costs. Another benefit is a systemized approach to legal compliance. Such an approach can prevent legal costs and fines if environmental damage is averted. In addition, a certified EMS enables an organization to be equipped to address stakeholders’ demands for better environmental performance. It allows the organization to demonstrate its efforts to lessen its impact on the environment and to publicly advertise its certification.
ISO 14001 is intended to be flexible so that many organizations can use the standard. For example, an organization sets its own goals. This allows organizations of all sizes and types to use the standard. ISO 14001 also allows that different organizations will have different purposes. The standard requires an organization’s environmental policy to comply with legal requirements and to be committed to pollution prevention and continual improvement. In addition, the standard facilitates the creation of an EMS that can be subjected to an objective audit.
The Components of an EMS Under ISO 14001
There are six components to an EMS under ISO 14001.4 These are general requirements, environmental policy, planning, implementation and operation, checking and corrective action, and management review. The general requirements involve establishing and maintaining the system in accordance with the standard. This encompasses implementation, documentation, and continual improvement of the system.
Policy
In setting its environmental policy, top management should be directly involved by committing to compliance with environmental laws and to continual improvement. The policy should be the foundation for objectives and goals. A written policy is necessary so that both external and internal groups can review it. To keep the policy current with the organization’s environmental status, it should be reviewed periodically. In order for the policy to be beneficial to the organization, it should be distributed to employees and contractors along with being made available to the public.
Planning
Planning needs to be done for all the environmental aspects of an organization’s activities (past, current, and future). An examination of inputs and outputs of proposed, current, and past products and services is relevant to determining how an organization interacts with the environment. Examples of interactions are air emission, waste and by-products, and use of raw materials. The effects of packaging and transportation of products also should be considered. The planning component involves setting up a system that identifies and updates environmental laws that are applicable to the organization. Environmental goals and targets should be set in the environmental policy and need to be documented. Methods, timeframes, and levels of responsibility for these goals need to be specified.
Implementation and Operation
The implementation of an EMS involves many aspects. Typically, financial, human, and organizational infrastructure are the resources needed for a successful system. Top management’s support is important here because it is responsible for providing the resources to establish and maintain the EMS. In addition to resources, it is essential to communicate to employees what their roles, responsibilities, and levels of authority will be. To provide for a consistent implementation, this information should be documented. Responsibility for the system should be given to a key employee, but top management should keep involved with the system by reviewing it regularly. Implementation should involve identifying employees that could cause material environmental impact in the course of their work. Training these employees to handle their work carefully is a crucial step. In addition, all employees need to be apprised of the consequences of not conforming to the policy.
The successful operation of an EMS is dependent on many things. Internal and external communications are important aspects of the EMS. Internal communications need to be formalized so that information can be communicated across various levels of the organization. In addition, a policy for communications from and to external parties should be determined and documented. Public relations can be critical to safe handling of environmental problems.
ISO 14001 requires that the organization document many aspects of its EMS. This includes documenting its environmental policy, goals, and targets; boundaries of the EMS; main components of the EMS; and interactions of the system. The organization must take control of EMS documents. This relates to how specific documents are approved, changed, and stored. As part of its operational controls, an organization should connect its environmental policy to its activities that have significant environmental impacts. Plans and procedures for controlling operations that deviate from policy should be established along with plans and procedures for emergencies. Emergency preparedness and response should be adapted to what could happen at the organization’s facilities. Testing for emergency preparedness should be done periodically.
Checking
How well an organization is managing its environmental impacts can be evaluated by collecting data. This data can be compared to standards or targets. Not only should the organization meet its targets, but it should also demonstrate that it has complied with legal requirements. The organization should have procedures that deal with nonconformity. In addition, procedures for access to these records and identification of users should be created. Procedures for internal audits should be created.
Management Review
Management review is a necessary component of the ISO 14001 standard. Top management should review the environmental management system at specific intervals. This review should include an examination of audit results, external communications, environmental performance, performance reports, corrective and preventive actions, and recommendations.
How Many Organizations Are ISO 14001 Certified?
ISO 14001 was published in 1996, and since then the number of companies acquiring third-party certification has increased steadily. By the end of 2013, there were approximately 354,542 certifications worldwide.5 The countries with more than 10,000 certifications at the end of 2013 are shown in Table 5.1.
Table 5.1 Number of certifications by country
|
Country |
Number of certifications |
|
China |
104,735 |
|
Italy |
24,662 |
|
Japan |
23,723 |
|
United Kingdom |
16,879 |
|
Spain |
16,081 |