Skip to main content

Behind the Curtain: What You Need to Know About ESG Assurance

Organizations are increasingly obtaining assurance for their ESG disclosures. Read on to learn more about types of assurance and how to prepare. 
banner background

Organizations are increasingly disclosing environmental, social, and governance (ESG) information and obtaining assurance for their ESG disclosures; however, organizations often lack understanding of the types of assurance and how to prepare. Organizations seek assurance of ESG information to show their senior executives, board members, investors, customers, suppliers, regulators, and other stakeholders that the ESG information being reported is reliable and credible. Organizations have especially been interested in obtaining assurance for their greenhouse gas (GHG) emissions disclosures in preparation for the SEC finalizing their climate disclosure rule. The proposed SEC rule includes requirements for public companies to obtain assurance on GHG emissions disclosures. 

In this article, we describe what ESG assurance is and how organizations should prepare for an ESG assurance engagement. 

Key Distinctions Between Limited & Reasonable Assurance

Assurance in ESG reporting refers to a specialized service that qualified and independent professionals provide to assess the quality of the ESG information reported. When an organization contracts with a CPA firm to perform assurance, that arrangement is called an assurance engagement. If the reported ESG information meets the assurance criteria, the independent third party expresses a conclusion designed to enhance the degree of confidence that intended users can have about the reported ESG information. 

There are two common levels of ESG assurance:

  1. Limited assurance is commonly referred to as a “review.” Limited assurance is equivalent to the level of assurance provided over a public company’s interim financial statements for their Form 10-Q. Limited assurance is the most common type of ESG assurance. Procedures performed to obtain limited assurance involve the performance of inquiries, analytical procedures, and other procedures, which vary based on the extent that analytical procedures can be performed. 
  2. Reasonable assurance is a higher level of assurance that is commonly referred to as an “examination.” Reasonable assurance is equivalent to the level of assurance provided in an audit of a public company’s annual financial statements for their Form 10-K. In addition to inquiries and analytical procedures, procedures performed to obtain reasonable assurance often involve tracing information to supporting documents and performing recalculations. Site visits are also more likely to be conducted during reasonable assurance engagements than limited assurance engagements. 

Less evidence is collected for limited assurance engagements than for reasonable assurance engagements. To obtain limited assurance, enough evidence is collected to conclude that the assurance provider is not aware of any material modifications that should be made, which is referred to as a negative assurance opinion. This contrasts with reasonable assurance where enough evidence is collected to conclude that the information undergoing assurance is materially correct, referred to as a positive assurance opinion.

The following table and graphic summarize the differences between limited and reasonable assurance:

 Limited AssuranceReasonable Assurance
Commonly Referred to asReviewExamination
Equivalent Level of AssuranceQuarterly Financial Statements in Form 10-QAnnual Financial Statements in Form 10-K
Common Procedures
  • Inquiring
  • Considering appropriateness of calculations, including how completeness and uncertainties were addressed
  • Requesting written representations from management
  • Analytical procedures1
  • Inspecting documentation
  • Recalculating
  • Conducting site visits
  • Other procedures2
  • Obtaining evidence and information
  • Tracing information to supporting documents
  • Evaluating appropriateness of calculations, including how completeness and uncertainties were addressed
  • Determining if calculations have been completed correctly and if the underlying assumptions are documented and reasonable
  • Requesting written representations from management
  • Conducting site visits
  • Inquiring
  • Inspecting documentation
  • Recalculating
  • Analytical procedures
  • Comparing results to related records
  • Confirming details of transactions3
  • Other procedures
  • Requesting legal representation letters about noncompliance, ownership, and any unasserted claims
Site VisitsPossibleLikely
Opinion FormNegatively Worded: “We are not aware of any material modifications that should be made to the subject matter for it to be presented in accordance with the criteria.”Positively Worded: “The subject matter is presented in accordance with the criteria in all material respects.”
Level of Assurance AchievedModerate levelHigh level
ESG Assurance Procedures

Limited assurance engagements give the professionals more discretion to decide whether the initial procedures, such as inquiries, are sufficient or if other procedures are warranted. The discretion is based on the reviewer’s assessment of the risks regarding whether the reported information is accurate and complete. When supporting information is readily available, the professionals conducting the review may also choose to obtain documentation that corroborates inquiry responses to be more thorough. Reasonable assurance engagements are more prescriptive, requiring the professionals conducting the examination to follow specific procedures in order to obtain a deeper understanding of how the reported information is developed and evidence that corroborates the reported information.

Accounting firms typically use attestation standards from either the American Institute of Certified Public Accountants (AICPA) or the International Auditing and Assurance Standards Board (IAASB) when performing ESG assurance engagements. ESG assurance engagements can cover specified information such as metric values, specific assertions made by the reporting organizations, or a full sustainability report. The information undergoing assurance is called the subject matter.

The criteria used to measure, evaluate, and disclose ESG information is also established before the start of an ESG assurance engagement. The assurance provider determines whether the information undergoing assurance conforms with the criteria. Criteria for ESG assurance is often a certain ESG framework or standard, like the Sustainability Accounting Standards Board (SASB) or the Global Reporting Initiative (GRI).4 The Greenhouse Gas (GHG) Protocol is commonly used as criteria for assurance of GHG emissions. The Corporate Standard of the GHG Protocol lists required information that shall be included in GHG emissions reports released to the public.5

The results of the ESG assurance engagement are documented in an opinion letter report which describes the following:

  • Level of assurance performed
  • Subject matter
  • Criteria
  • Results

If the subject matter meets the criteria in all material respects, the opinion letter will include an unqualified opinion. This is often referred to informally as a clean opinion. If the subject matter does not meet the criteria, the opinion letter will include a qualified opinion with the reasons for the qualification. If reporting procedures could not be reviewed or examined to the extent that a definite opinion could not be expressed, the opinion letter may include a disclaimer of opinion. If a high level of material misstatements or irregularities are discovered or the reported information is determined to be highly unreliable, an adverse opinion may be issued.

Preparing for ESG Assurance

Establishing an ESG program is the first step to preparing for ESG assurance. This includes establishing governance by defining who is responsible for providing oversight for ESG reporting. Organizations will then select which ESG reporting standards and frameworks they will use for their reporting. Organizations often complete a materiality assessment to determine the ESG topics that are important for the organization and its stakeholders.

It is important to establish and document boundaries used for an organization’s ESG reporting. Organizations often have complex ownership structures and operational control of assets can differ from financial control. Organizations need to establish what type of control is used to determine the organizational boundary as this will drive which legal entities and locations are included in the ESG reporting. There are three common approaches used to determine organizational boundaries for consolidating information:

  • Equity Share – Under the equity share approach, an organization would typically prorate activity by their respective ownership percentage. For example, if a 50%-owned subsidiary consumed 1,000 cubic meters of water, the parent company’s share of the water consumption would be 500 cubic meters (50% x 1,000).
  • Financial Control – Under the financial control approach, an organization accounts for 100% of the activity from operations where it has financial control. For joint ventures, the percentage of ownership is used to prorate activity under the financial control approach.
  • Operational Control – Under the operational control approach, an organization accounts for 100% of the activity from operations where it has operational control.

When an ESG reporting program is established, organizations should conduct an assurance readiness assessment the year prior to an ESG assurance engagement. Since undergoing a readiness assessment or assurance may result in identifying misstatements that relate to prior years, publishing ESG information without a readiness assessment or assurance increases the risk of misstatements identified in a later year when assurance or a readiness assessment is conducted. Organizations can use a readiness assessment as a dry run to prepare for actual assurance. A readiness assessment uses assurance engagement procedures to identify whether there are gaps between the reporting processes and the assurance criteria. If those gaps are identified, the reporting organization can address the gaps and improve an organization’s ESG reporting before the assurance engagement.

Related reading:

Key Takeaways

Organizations are increasingly disclosing ESG information to meet stakeholder expectations: however, some stakeholders may perceive that company ESG information is not reliable.6 Receiving assurance on ESG metrics can address this perception to show stakeholders that ESG information is reliable and credible. In our experience at FORVIS, knowing the fundamentals of ESG assurance and what to do to prepare is critical with more companies obtaining assurance of ESG information important to stakeholders.

If you have questions or need assistance, please reach out to a professional at FORVIS or submit the Contact Us form below.

  • 1Analytical procedures are evaluations of information to obtain assurance evidence, identify risks that could affect the accuracy of reported information, and investigate inconsistencies and deviations. Analytical procedures can be simple comparisons, e.g., year-over-year differences in reported values, fluctuations of amounts over the year, values reported by peer organizations; trend analysis, ratio analysis, or regression analysis.
  • 2Other procedures can include inspections, observations, and scanning for unusual information.
  • 3Confirmation is the process of obtaining and evaluating relevant information from a third party, such as supporting evidence of transactions for the amount of carbon credits purchased or sold.
  • 4See Introduction into ESG Reporting Standards & Frameworks for more information about ESG reporting standards & frameworks
  • 5The Greenhouse Gas Protocol, A Corporate Accounting and Reporting Standard, Revised Edition, World Resources Institute and World Business Council for Sustainable Development, March 2004
  • 6See Debunking ESG Myths

Related FORsights

Like what you see?
Subscribe to receive tailored insights directly to your inbox.