Making sense of mandatory assurance

Required assurance for non-financial information is coming. But according to research from KPMG, only 29% of companies feel ready to have their ESG data independently assured. Even among leading companies, assurance has been limited to a few key data points, such as Scope 1 and 2 emissions, over the past few years. Emerging regulation will disrupt that pattern, with the EU CSRD initially requiring limited assurance of all reported sustainability information.

If assurance is not yet part of your repertoire, it will be soon.

Here are answers to some key questions to help you start digging into this topic.

Q: Why are assurance requirements so common across new disclosure regulations? Aren’t disclosure requirements sufficient on their own?

A: Many jurisdictions are mandating sustainability disclosures to improve information for investors, so assurance is essential to creating validity for a disclosure regime. If information can be trusted, then it can be used to inform decision-making. Until this point, investors have basically been taking any sustainability-related disclosure at face value. With assurance, data becomes more meaningful and actionable.

It’s a bit like bringing a used car to a trusted mechanic to look it over before you purchase. You want someone else to verify that what has been said is true and can be taken seriously — so that you can make an informed decision.

Q: Some legislation, such as CSRD, references assurance requirements that shift over time, beginning with limited assurance and transitioning to reasonable assurance. What does that mean?

A: Limited and reasonable assurance are two ways to validate the completeness and accuracy of assured data. The difference is not about the reliability of underlying information, but about the practices used to validate data. Limited assurance generally focuses on high-risk data/topics and attempts to reduce the risk of errors to an acceptable level. The sample size of data is usually smaller and generally requires less work for the auditor. Reasonable assurance reflects a higher level of due diligence, with assurance providers performing an in-depth investigation using a larger sample, resulting in a lower likelihood of errors.

The actions of an assurance provider will vary depending on the data being assured. For example, if the data point under consideration is an animal welfare policy, both limited and reasonable assurance will use the same type of process to verify the policy's existence. However, for data that is more complex, such as the implementation of that policy across global suppliers, assurance providers will need to gather more information to ensure that the policy has actually been implemented, with reasonable assurance engaging a larger sample of the company’s operations and suppliers.

For regulations that shift from limited to reasonable assurance over time, the requirement eases companies into the assurance process, enabling a ramping up of assurance levels. In practice, this will give companies the opportunity to develop the internal controls needed to support reasonable assurance.

Q: How do assurance requirements impact my report?

A: To support the assurance process, companies should try to ensure that their data controls processes are in order, with appropriate documentation and evidence for all assured data points compiled to inform the report narrative. For example, for quantitative information, they should be prepared to provide auditors with documentation on methodological approaches, quality checks, data sources or collection approaches. These types of data controls will likely impact the requests made of subject matter experts during the data-gathering portion of report development.

Assurance will also impact timing. To give assurance providers enough time to do their work, the assurance process will likely need to begin prior to report drafting. Assurance providers may be able to use a previous year’s report to begin identifying where documentation or interviews may be needed to review key data points.

Finally, assurance may affect how businesses choose to tell their story. For all data that needs to be assured, reporters will need to be even more diligent about avoiding misleading claims in the report narrative, as well as omitting discussion of issues that obscure their impacts.

Q: How should I think about finding an assurance provider?

A: First, identify if your jurisdictional requirements specify what type of assurance provider must be used. If there is no specific requirement, you can determine what information will need to be assured based on the scope of required assurance, which varies based on jurisdiction. Unless required, most companies do not assure their entire reports, but rather select key pieces of information, such as that related to material topics.

Once you know what information will need to be assured, you can look for an assurance provider who has relevant expertise for your company. In most areas, financial audit firms and accredited certification firms, which may specialize in specific sustainability-related issues, can support the assurance process. In cases where there are high levels of integration between financial and sustainability reporting data systems, it may make sense to use the same auditor for financial and sustainability-related audits. However, it is not necessary to do so, and the choice should reflect the assurance provider’s ability to meet your company’s specific needs.

Assurance will soon become a reality for many companies. If you haven’t begun to think through how assurance requirements will impact your sustainability disclosure strategy, now is a great time to start.