Mike Shannon, Leadership | 28 February 2024
As the momentum continues to build around ESG reporting requirements, so too does the need for assurance. Assurance is critical – robust assurance processes over ESG data improves the reliability of the information reported building confidence in the ESG agenda.
There are a few questions that I am asked regularly about ESG assurance – notably, the difference between ‘reasonable’ and ‘limited’ assurance. I hope that the following will help build an understanding of what’s at play.
What is the difference between reasonable and limited assurance?
An analogy I find helpful here is with the auditing of financial statements. Reasonable assurance is in many ways the equivalent of an audit opinion over financial information. An audit opinion lets you know the financial statements have been prepared in the right way, that they are reasonably stated and are materially correct. Reasonable assurance work follows a similar methodology to an audit: gaining an understanding of the company and its culture, assessing and reviewing its controls, identifying risks, undertaking detailed testing – evaluating the evidence obtained and forming the assurance conclusion.
Limited assurance1, on other hand, as the name suggests is not as comprehensive. It follows the same methods as reasonable assurance but because the level of assurance obtained is lower, the procedures the practitioner will perform will vary in nature and timing and will be less extensive. It establishes that the company meets the preconditions for assurance, that the right controls, processes and frameworks are in place, it increases confidence in the data but not to the same extent as reasonable assurance. To continue the financial statement audit analogy, certain components of limited assurance is comparable to when an auditor conducts a limited review or interim review. Although similar, limited assurance may require more effort as the assurance practitioner will not have performed an audit of the information six months earlier.
Who decides whether assurance needs to be reasonable or limited?
Even when assurance is voluntary, the needs of the users should be the key driver of the level of assurance. Up to now, this used to be a matter for a company to decide as the whole ESG reporting and assurance environment has been mostly voluntary. An organization could report, without obtaining any assurance; they could have limited assurance; or they could opt for full reasonable assurance.
But that has already begun to change as new rules and regulations have appeared – and these will dictate the level of assurance conducted. The EU’s Corporate Sustainability Reporting Directive (CSRD) has already come into effect for the largest businesses operating in the region. This has a staggered or laddered approach whereby companies can start with having limited assurance but, over a period of four years, must move to reasonable assurance. Other smaller companies will begin on this journey under the CSRD starting next year.
Then there is the International Sustainability Standards Board (ISSB). Their standards will be adopted as the statutory framework for sustainability reporting on a country-by-country basis – and each country will decide what level of assurance is needed.
Meanwhile, the SEC in the US has just published its rules that require assurance only on Scope 1 and 2 GHG emissions.
Could the differences between assurance types drive a new kind of ‘expectation gap’?
Absolutely, yes. It will be really important that users understand the difference between reasonable and limited assurance, and check to see what information has been assured to what level.
The complexity of the different timescales and stages of the journey, under different sets of regulations, could also drive an expectation gap and become confusing to users of information.
Another complicating factor is that, at present, the requirements for limited assurance are quite broad and the assurance provider has some latitude over how much testing they do and at what level of detail. Lack of uniformity here could add to the expectation gap. At KPMG, our methodology is consistent to ensure comparability from one engagement to another.
Further, I would also flag that I expect it could become relatively common, in the early years, to see assurance providers giving a modified opinion (similar to a qualified audit opinion). This would be the case when key data has been missing (perhaps because the company does not yet have the systems or information flow to report it) or when it has not been possible to test it (perhaps because it is not of sufficient quality or granularity). This won’t be as serious as a qualified audit opinion, but it’s something we may need to get used to as companies navigate the ESG reporting journey.
What can assurance providers do to help drive understanding?
For a limited assurance engagement2 there will be an assurance report – along similar lines to an auditor’s report – and so assurance providers should set out very clearly the exact level of work and testing they have done. This will not be needed for a reasonable assurance engagement as here you will be stating that the reporting is not materiality misstated.
It will also be important that assurance providers raise awareness of the issues and concepts involved in assurance engagements so as to increase stakeholder understanding – through engagement and discussion with businesses and stakeholder groups and the dissemination of pieces such as this. Education is everything.
What do stakeholders and users of information need to do?
There is an element of caveat emptor here. Users should make the effort to read the assurance report to make sure they understand what level of assurance has been given, and over what data. Just as it will be a journey and a learning process for the companies reporting, so too for users of the information.
1 An assurance engagement in which the practitioner reduces engagement risk to a level that is acceptable in the circumstances of the engagement but where that risk is greater than for a reasonable assurance engagement as the basis for expressing a conclusion in a form that conveys whether, based on the procedures performed and evidence obtained, a matter(s) has come to the practitioner’s attention to cause the practitioner to believe the sustainability information is materially misstated. The nature, timing and extent of procedures performed in a limited assurance engagement is limited compared with that necessary in a reasonable assurance engagement but is planned to obtain a level of assurance that is, in the practitioner’s professional judgment, meaningful. To be meaningful, the level of assurance obtained by the practitioner is likely to enhance the intended users’ confidence about the sustainability information to a degree that is clearly more than inconsequential.
2 Under proposed standards, for a limited assurance engagement, there should be a section, with the heading "Summary of Work Performed," that contains an informative summary of the work performed as a basis for the practitioner’s conclusion. This section will describe the nature, timing and extent of procedures performed sufficiently to enable users to understand the limited assurance the practitioner has obtained.
For more information on ESG Assurance and how KPMG can help you prepare, please visit our website.
Throughout this website, “we”, “KPMG”, “us” and “our” refers to the global organization or to one or more of the member firms of KPMG International Limited (“KPMG International”), each of which is a separate legal entity.