Techniques for ESG assurance and a preparation strategy

Over the last few years, companies have been preparing to comply with several new ESG obligations, such as the European Union’s Corporate Sustainability Reporting Directive, the German Supply Chain Due Diligence Act and the United States Securities and Exchange Commission’s climate disclosure rules. One key challenge in this process is ensuring that reporting, particularly the reporting that is required by directives and laws, is accurate and in line with relevant ESG frameworks.

Consequently, the concept of ESG assurance has become critical in confirming accurate reporting.

The purpose of ESG assurance is to ensure that the information companies report is as accurate as possible and will withstand scrutiny under applicable legislation and reporting frameworks.

To provide assurance, ESG auditing firms review concepts such as:

• the quality of ESG information being reported
• the operations, processes and procedures supporting reporting activities.

Unlike financial reporting, proper ESG assurance poses several difficulties and challenges for implementation. For example, ESG encompasses several disparate risk areas, and reporting under each area requires access to different types of data and software platforms and expertise from multiple departments across an organisation. In addition, ESG assurance could require assessment by multiple auditors, given the variance in the subject matter under ESG (whereas in financial reporting companies can reach out to a single established accounting firm for support). In addition, some directives and regulations impose reporting as a requirement but do not set out an established framework to report against, leaving organisations scrambling to determine how and what to measure.

In this article, we will discuss:

• why ESG assurance could be helpful to organisational ESG programmes
• techniques for ESG assurance and a preparation strategy.

The value of ESG assurance

According to a recent KPMG survey,[1] potential benefits of ESG assurance services include:

• greater market share
• improved profitability
• improved decision making
• greater innovation
• stronger reputation
• greater shareholder value.

The benefits of assurance outlined above closely match the benefits of complying with ESG generally. Increasingly, customers are looking to buy from ethical companies, suppliers want to work with organisations that value diversity, and revenue can be increased (and costs minimised) through sustainable sourcing practices and by avoiding government litigation and fines.

Beyond these generalised benefits, ESG assurance may offer economic benefits. A report by the Journal of Accountancy indicates that companies receiving assurance reduce capital costs by close to one percent and increase analyst coverage by several percentage points.[2]

In addition, obtaining ESG assurance helps companies justify the investments they are likely to make in ESG generally. With organisations set to invest US$5 trillion in ESG by 2025,[3] failing to comply with reporting requirements due to inaccuracies or poor reporting processes will damage efforts taken by companies to comply with ESG standards in the first place.

Lastly, ESG assurance will help companies (and especially ESG teams and compliance professionals) legitimise the importance of ESG as an essential business area to report on. Financial reporting has traditionally been subject to strict reporting requirements and guidelines and is therefore taken seriously by companies and their stakeholders. As ESG increases in visibility and government directives become more stringent, ESG reporting will also become more important, requiring services like assurance to ensure accuracy and legitimacy.

Techniques for ESG assurance and preparation strategy

Assurance services have traditionally been led by accounting firms, which follow strict protocols and principles to review company reports. These services typically focus on establishing a level of assurance (such as ‘limited assurance’ versus ‘reasonable assurance’), setting out reporting criteria (for example, the framework against which reporting is measured), and utilising various procedures such as document review, calculations, management representations and other techniques to determine the accuracy of reporting and integrity of reporting systems and processes.

ESG assurance can be far more complicated because ESG essentially comprises several disparate risk areas (such as anti-bribery, sustainability and diversity), and each risk area has unique underlying directives and frameworks that shape reporting requirements. As a result of these complexities, protocols may slightly shift depending on which risk area is being reviewed through the assurance services.

For ESG assurance to be effective, companies should follow a strategy that can be applied across multiple risk areas. This strategy reflects several key concepts described in our Speeki Engage framework. Companies need to:

• link applicable ESG reporting standards to each risk area that is relevant to their ESG programme
• identify and establish stakeholders to manage ESG and reporting for each risk area
• identify which systems, platforms and files contain relevant data for each risk area
• work with value chains to gather, build and issue reporting.

The best way to demonstrate these actions is through an example. Anti-bribery has been a critical ESG programme area for the past ten years, with government scrutiny increasing and dozens of companies being fined for undertaking corrupt activity to gain business advantages. During this time, most large companies operating in the United States and Western Europe have established working anti-bribery programmes. Relevant anti-corruption legislation typically does not require regular reporting to government authorities (unless the company is under a monitor or some form of non-prosecution agreement); however, most companies internally report to management regarding the efficacy of their anti-bribery programmes. How would ESG assurance work for the internal reporting component that compliance departments issue to their management teams?

As described above, the first step in preparing for assurance is to link a reporting standard to the relevant risk area. In the case of anti-bribery, many companies have certified (or are in the process of certifying) their anti-bribery programmes against ISO 37001 or ISO 37301, which are compliance standards issued by the International Organization for Standardization (ISO). Section 9.1 of these standards sets out several principles to guide performance measurement and reporting. The key tenets of this section indicate that organisations need to:

• define what needs to be measured and monitored based on the context of the organisation and the scope of its anti-bribery programme
• determine how and when such analysis will be conducted
• develop indicators to determine whether compliance objectives have been met.

When it comes to actual reporting, these standards ask that companies develop criteria based on the context and scope of their anti-bribery programmes, establish actions and timelines, and set up systems to gather and present data.

The second step in preparing for assurance is identifying stakeholders to support reporting. The ISO standards on compliance call on organisations to determine who will contribute to reporting. Compliance and ethics teams will typically lead the effort to manage anti-bribery reporting; however, the ISO standards also require support from internal audit teams (see section 9.2) and management (see section 9.3), and lay out several responsibilities these groups have in supporting measurement, review and reporting for the anti-bribery programme.

The third step in preparing for assurance is identifying which systems, platforms and files contain relevant data for reporting. As we mentioned earlier in this article, assurance services are likely to evaluate the accuracy of reporting and the systems and processes used to support reporting. Compliance teams managing anti-bribery will usually measure and report on elements such as code of conduct certifications, training statistics (which can include several facets, such as percentage of training completed, employee scores and areas for improvement), investigations statistics (such as the number of reports made, the type of allegation, unresolved versus resolved cases and time of resolution), due diligence results (by country, by vendor type and findings) and other broad categories. It’s likely that multiple systems, platforms and files contain this data, such as:

• learning management systems containing training statistics
• reporting systems or tools containing investigation statistics
• ERP systems or vendor management platforms containing due diligence results
• files maintained by internal audit teams containing audit results.

The fourth step is working with value chains to gather and present this data for reporting. Compliance teams will likely work with procurement to review due diligence findings and build reporting on key datasets, with human resources to review investigations and training statistics, and with internal audit and management to incorporate findings from their audits and assessments. During this time, compliance can also determine how effective the various systems, platforms and processes were in gathering, holding and exporting data required for reporting, as assurance services will also evaluate these factors.

ESG assurance services aimed at reviewing a company’s anti-bribery reporting will review how accurately and effectively the reporting reflects the tenets of the reporting programme, as set out in section 9.1 of ISO 37001 or in whatever framework a company has used to set the foundations of their anti-bribery programme. Companies that have certified their programmes against ISO 37001 or ISO 37301 have the luxury of having these assurance services completed each year through surveillance audits, which help ensure that companies continue to comply and report in accordance with the ISO standards.

When it comes to other ESG risk areas, it will be essential for companies to clearly identify the prevailing directive and framework as this will form the foundation of the assurance review.

Next steps

ESG assurance provides a way for companies to ensure that their reporting activities and systems are delivering accurate data and insights. What we see as the main challenge moving forward for assurance is the fact that ESG programmes consist of several different risk areas, with each requiring its own frameworks, standards and expertise.

We recommend that companies refer back to their original strategy documents relating to ESG and see which risk areas were prioritised. Once a clear priority is visible, companies can go through a similar analysis to the one conducted above – ensuring a clear directive and framework are in place to guide reporting, communicating with stakeholders to gather and verify data, accessing relevant systems and processes, and working with value chains to create and corroborate reporting.

Outside forces are also likely to significantly impact which risk areas companies seek assurance services for. Areas like carbon disclosures, sustainability and diversity (all very publicly visible risk areas) may need to be prioritised given the economic and reputational impact of non-compliance with these areas.

[1] Road to readiness (kpmg.com)

[2] Save money by having your sustainability report assured - Journal of Accountancy

[3] Understanding the SEC’s proposed climate risk disclosure rule | McKinsey