Substantially all large corporations, both in the United States and internationally, are issuing annual sustainability reports. These reports cover the vast spectrum of social issues that a company can face, including environmental issues, greenhouse gas issues, governance issues, personnel issues, social issues, and community relationship issues. In the last decade, these reports have developed in both form and substance. The concepts have various labels such as ESG (environmental, social, and governance), corporate responsibility (CR), corporate social responsibility (CSR), triple bottom line, and others. The reports are intended for all stakeholders, which includes owners, employees, customers, the investment community, and society as a whole. There is no consistency in these sustainability reports, as there are no required standards for such reports.
It is becoming common for separate assurance statements prepared by an outside independent firm to accompany these reports. A 2017 KPMG survey of sustainability reporting (http://KPMG.com/crreporting) indicated that 67% of larger companies obtain an assurance statement of some type on their reports. This article surveys what independent assurers (i.e., accounting firms, assurance specialist consultants) have been doing and the steps needed to obtain more work for the accounting profession in this growing field.
Assurance Statements and Regulation
The regulation of sustainability reports has been inconsistent. In the United States, the SEC does not require any, while the Environmental Protection Agency (EPA) requires a report on greenhouse gases (GHG). The European Commission (EC) requires nonfinancial information reports starting in 2018, and some individual countries require reports. The EC requirement for a sustainability report does not require an assurance statement, but does require that the statutory auditor check that the nonfinancial statement has been provided. This author did not find any governmental requirement for an assurance statement to be included in a sustainability report. Thus, assurance reporting is entirely voluntary—and very inconsistent.
Auditors have been issuing assurance statements for many, many years. These statements generally give assurance as to dollar amounts, but many times they contain other quantitative amounts, and non-quantitative information is increasingly the subject of independent assurance. Professional guidelines on assurance statements were very tight in the past, but have slowly loosened.
Survey of Assurance Statements
This author reviewed 58 assurance statements relating to 45 corporations from 22 countries. The selection process was not random: it was overweighted to U.S. companies but attempted to get wide industry and country coverage.
The assurance statements themselves varied greatly based on what information was in the corresponding sustainability report, the level of disclosure of procedures being followed, and the form of assurance. Generally, all of the reports gave only negative assurance—that is, the assurer did not find anything wrong, or the corporation corrected what was found. The reports generally contained at least four parts: 1) the reporting protocol the company used to create the sustainability report, 2) the portion of the sustainability report covered by the assurance statement, 3) the attestation standard the assurer followed, and 4) the assurer’s opinion. This format parallels standard accounting audit reports; the reporting protocol is the equivalent to GAAP, and the assurance standard being followed is equivalent to GAAS.
The various protocols for the preparation of sustainability reports referred to above comprised the following:
- GRI: the Global Reporting Initiative is a listing of all corporate disclosures, financial and nonfinancial. Many companies include in their sustainability report the GRI index requirement and where the information can be found (23 statements).
- WRI/WBCSD: World Resources Institute/World Business Council for Sustainable Development has written a standard covering GHG emissions (seven statements).
- SDG2030: The UN Sustainable Development Goals (two statements).
- Internal standards created by the corporation, generally without specifying the details of such standards (18 statements).
- SASB: Standards issued by the U.S. Sustainability Accounting Standards Board (one statement). These standards are being created for the investment community as opposed to other stakeholders. The one company that followed the SASB standards did not have an assurance report covering the disclosures.
- The new EU nonfinancial reporting directive (four statements).
- Other protocols, such as the Global Real Estate Sustainability Benchmark (GRESB) for real estate, the IPIECA for the petroleum industry, and the Carbon Disclosure Project (CDP) for carbon and fossil fuels.
Several companies referred to more than one protocol.
Some assurance statements covered areas in which accountants may not be expert, such as childcare. That statement indicated that the assurers spoke to a number of people, reviewed internal reports, and concluded that the corporation had “established appropriate systems.”
Portion of Report Given Assurance
The assurance statements usually stated what portion of the sustainability report the assurer was supporting. Some assurers gave very specific detail as to pages or data; others referred to the entire report. This is similar to the description of the financial statements in a standard audit report. A few of the reports were unclear as to what they were covering and the opinion expressed.
The various attestation standards being followed by the statements reviewed were as follows:
- The AICPA assurance standard issued in 2017. This is a 177-page manual that broadly covers many reporting issues. This guide appears to limit AICPA members’ involvement to quantifiable information (four statements).
- ISAE 3000: the International Standard on Assurance Engagements was issued in 2005 by the International Auditing and Assurance Standards Board (28 statements).
- AA1000AA and AA1000AS: standards issued by the AccountAbility, an international not-for-profit organization that issues standards (12 statements).
- ISO14064-3: a standard issued by the International Organization for Standardization (10 statements).
- Various country- and company-specific standards, referred to but not detailed (13 statements).
Again, several assurers referred to more than one attestation standard.
With two types of exceptions, the assurance opinions were all the same: negative assurance with wording similar to the AICPA standard for review reports. There was one strong independent accountants’ examination report, that of Deloitte relating to the GHG of UPS, expressing an unqualified opinion. Other assurers used wording such as “meets GRI standards” and “reasonably correct.” The longest statement ran four pages; the shortest, one page.
The assurance statements contained various other information:
- Some of the statements detailed the work performed, such as locations visited, documents examined, systems reviewed, documents compared, personnel interviewed, and testing performed.
- Some indicated that suggestions had been made to management; others indicated improvements from the prior year and suggestions for the future.
- Some noted that the work was done remotely; others indicated the length of time spent, in one case that the work took only three or four days.
- Twelve statements had various use restrictions. The wording varied but could be summarized as, “We do not assume any liability to third parties other than management.” The author feels such words may undercut the reliability of the assurance statement, especially by limiting responsibility to only one stakeholder, the company. In view of the unsettled third-party liability for assurance statements, however, it does appear to be prudent to include such a disclaimer.
Source of Statements
For the reports reviewed, the assurers were equally split between accounting firms and consulting firms. The Big Four accounting firms and one second-tier firm were the accounting firm assurers. Of the consultants, Bureau Veritas was by far the largest, with nine assurance statements; 10 other consultants’ reports were included in the sample. Other consultants were also large international operations, although some assurers appeared to be small firms. A report by the Investor Responsibility Research Center Institute (http://www.irrcinstitute.org) in November 2018 indicated that of 120 assurance statements, only 23 were issued by the Big Four accounting firms.
As a lifelong auditor, the author personally believes that CPA firms should develop the capability of issuing assurance statements; however, getting up to speed will require some investment.
As a lifelong auditor, the author personally believes that CPA firms other than the large international firms should develop the capability of issuing assurance statements; however, getting up to speed will require some investment. There are various courses available, and firms could utilize the reports of other experts in areas such as GHG, where financial statement auditors may not be expert. In addition, there is considerable competition; in this sample, there were 11 different U.S. firms issuing assurance statements, including the Big Four. From this author’s perspective, the AICPA guidance was not particularly helpful, as it created a reporting straitjacket. Possibly as a result, there were four reports on U.S. companies issued by non-U.S. firms, and of the 11 reports issued by firms with a U.S. address, only three were issued by accounting firms.
It would be useful for the AICPA to develop a standard for proper assurance of nonmeasurable information. While the assurance guide appears to allow assurance on qualitative subject matters, the June 1, 2017, guide appears to prohibit such assurance in sections 1.33 through 1.38. If the guide gave a broader description of giving assurance on qualitative information, it might reduce the afore-mentioned straitjacket constricting U.S. firms’ involvement in assurance attestation on assurance reports.
From a reader’s point of view, one is left with various questions unanswered by these assurance statements:
- Should one care how much effort the assurer put into the report? Can one trust a report that says only three days were spent, or the work was done “remotely”?
- Is it useful for a reader to have a list of procedures, or, like the standard financial statement audit report, should an assurance report simply state that the protocol was followed?
- What does negative assurance really mean? This issue is no different from the reliability of a reviewed financial statement. Did the auditors just look where management wanted them to look, as opposed to trying to find error anywhere?
- From reading the sustainability reports, one is led to believe that management really cares about these issues. Is that conclusion misleading?
- In the United States, large quantities of data are published quarterly and annually by public companies (see this author’s previous article published in the November 2007 CPA Journal, “Have We Created Financial Statement Disclosure Overload?”). Is there a point where auditors should say, “Let’s figure out what disclosures can be eliminated before we write more?”
- Are these sustainability reports really intended to do no more than allow evaluators of corporations to check the “Yes, they issued a report” box?
There is also a great need for standardization of structure and content in the sustainability reports themselves. U.S. stakeholders are used to seeing Form 10-K or proxy statement filings with the SEC and know where to turn for any needed information. Sustainability reports are entirely different; there is no established pattern. Some do publish the GRI index, but the references are not necessarily clear. There is movement to make reports more consistent; in November 2018, four major global reporting groups announced plans to align their standards. As long as there is no consistency or standards in the sustainability reports themselves, however, it is difficult to criticize the assurance statements for their lack of consistency or comparability.