3 November 2021 — Publication
The European Commission (EC) adopted a proposal for the Corporate Sustainability Reporting Directive (CSRD) to strengthen sustainability reporting. This is fundamental to achieve a sustainable economy. It requires companies to report more comparable, targeted, reliable as well as easily accessible information as the basis for sustainable decision-making.
The EC also introduces an EU-wide requirement for limited assurance on sustainability information (see amendments proposed to Article 34). According to the EC proposal, independent external assurance enhances the reported sustainability information’s credibility. This helps meet the growing demands for reliable information on sustainability matters.
This FAQ provides answers to recurring questions on sustainability information assurance, specifically on:
The questions and answers aim to inform policymakers and other interested stakeholders about assurance on sustainability information. We are happy to continue the discussion on sustainability matters and elaborate on the topics covered. Please contact [email protected] to discuss this further.
An assurance engagement is when a company asks an independent expert to give comfort on a metric or statement made by the company in exchange for a fee. Such assurance may be done upon recommendation of investors that want a third-party independent opinion to enhance for instance their confidence in the company’s metrics and targets.
The independent expert that provides this service can be the statutory auditor, another independent assurance practitioner working in an accountancy firm, or another assurance service provider who should all be subject to appropriate ethical and quality management requirements.
Assurance on sustainability information can either be provided via a limited assurance engagement or a reasonable assurance engagement.
In a limited assurance engagement, the assurance service provider reduces the risk of material misstatement to an acceptably low level in the circumstances of the engagement.
In such engagement, the service provider’s primary focus is to understand the process used to compile the reported information. To that end, the provider concentrates on inquiry, observation, and analytical procedures, e.g.: observe data at a more aggregated level. Professional judgement is important for the practitioner to determine the work to perform and evidence obtained to reach the conclusion.
Based on the procedures performed and evidence obtained, the practitioner then expresses a conclusion: the practitioner states whether a matter(s) came to their attention for them to believe that the subject matter information is unfairly represented according to the applicable criteria. The applicable criteria are the reporting framework, standard or regulation used by the company to prepare their disclosures (see Question 4).
In a reasonable assurance engagement, the assurance service provider obtains sufficient appropriate evidence to reduce the risk of material misstatement to an acceptably low level. Here again, professional judgment, which is based on the service provider’s knowledge, expertise and experience, is very important to ensure that enough work has been performed to reach the conclusion.
The work effort in such engagement entails more extensive procedures than in a limited assurance engagement. They include: (i) risks identification and assessment that any matters may be unfairly represented; (ii) testing the operating effectiveness of the company’s internal controls upon which the practitioner intends to rely on; and (ii) substantive procedures.
The practitioner then expresses a conclusion in a positive form as to whether the subject matter information is free of material misstatement according to the applicable reporting criteria i.e., the applicable reporting framework, standard or regulation.
Reasonable assurance is an assurance type that is obtained in an audit of financial statements. It is the highest level of assurance, but still not absolute. Assurance will never be absolute since it will always come with inherent limitations. This is due to the nature of the evidence obtained via testing, in some instances fraud or error risks, information subjectivity, etc..
The two assurance engagements both require the information be verifiable in the first place (see Question 4).
The two engagements only differ in terms of the work effort undertaken by the assurance service provider to present their conclusion in the report. Indeed, in a limited assurance engagement, service providers undertake fewer procedures and require less evidence upon which to base their conclusion than in a reasonable assurance engagement. As an outcome, it does not provide the same level of comfort to the users of the report (see Question 2 for more detail on a limited vs a reasonable assurance engagement).
For assurance to be provided, either limited or reasonable, the reported information has to be verifiable:
Effective internal processes and controls, however, are not sufficient to make sustainability reporting comparable, relevant and reliable. Assurance by an independent external assurance service provider is necessary to ensure that sustainability reporting is at a high-quality level.
According to the professional standard followed by assurance providers, other preconditions should also be met. See Question 8.
The practitioner follows specific standards and procedures to conduct an assurance engagement in an effective and efficient manner. The International Standard on Assurance Engagements (ISAE) 3000 Revised (ISAE 3000)  is the standard mostly used when dealing with sustainability information assurance as practice has evolved.
There is no legal requirement to use ISAE 3000 at European level. However, Member States (MSs) like France, Italy and Spain, used this standard to base on their national developments as well as other countries like the Netherlands where voluntary assurance is common practice. Other professional standards may also be applied to deal with specific parts of sustainability information, e.g., ISAE 3410 for assurance engagements relating to greenhouse gas statements.
Assurance on sustainability information is not yet mandated at EU level.
The Non-Financial Reporting Directive 2014/95/EU (NFRD) only requires the statutory auditor to check that a non-financial statement within the management report or a separate report has been provided, but not to check its content. All EU Member States (MSs) had to transpose this requirement into national law.
The NFRD also provided MSs with an option to require verification of the non-financial/sustainability information by an independent assurance service provider. Three MSs – France, Italy, Spain – opted for mandatory independent assurance. Based on our survey, in 14 other MSs, many entities voluntarily chose to ask for assurance on the sustainability information they are required to report.
The EC’s proposal for the CSRD introduces an EU-wide requirement for limited assurance on sustainability information. The EC suggests starting with a limited assurance requirement and potentially go for reasonable assurance at a later stage.
The EC proposes assurance on sustainability information to be performed by the statutory auditor or audit firm arguing that this would help ensure the connectivity between the financial and sustainability information. This is particularly important for users of sustainability information. In addition, the EC leaves an option to MSs to allow any independent assurance service provider to provide a conclusion on sustainability information on a basis of a limited assurance engagement, considering that the service providers are accredited by conformity assessment bodies in accordance with Regulation (EC) No 765/2008.
When providing assurance on sustainability information, similarly as for other assurance services, professional accountants are required to always demonstrate strong ethical behaviour and professional judgement. They must apply the fundamental principles of the Code of Ethics of the International Ethics Standards Boards for Accountants (IESBA), namely:
Assurance service providers abide by strong ethical principles and rules, including independence. Independence safeguards their ability to form an assurance conclusion without compromising their professional judgement. It allows the service provider to act with integrity, and exercise objectivity and professional scepticism.
An assurance service provider applying ISAE 3000 has to abide by the requirement to have a quality control or quality management system in place to ensure assurance engagement is carried out with consistent high quality.
According to ISAE 3000, an assurance engagement requires the following elements to take place:
Any assurance engagement, whether a reasonable or a limited assurance engagement, needs a clearly identified underlying subject matter to be assessed. The assurance practitioner can provide assurance on various subject matters, for example:
The CSRD proposal includes an EU-wide requirement for independent third-party assurance, but it does not provide further details yet in terms of subject matter.
ISAE 3000 describes the main elements that should be included in the assurance report:
 A material misstatement is a reported information that is sufficiently incorrect so that it may impact the economic decisions of someone relying on this information.
 The International Standard on Assurance Engagements (ISAE) 3000 Revised, Assurance engagements other than audits or reviews of historical financial information; the standard is published by the International Auditing and Assurance Standards Board, see more.
 Companies within the CSRD scope would have to disclose sustainability information in accordance with the CSRD starting 2024 for the fiscal year of 2023. Those companies would have to comply also with an assurance requirement starting in 2024.