ESG Assurance Process: Planning to Assurance Statement

ESG Assurance Process Overview

An ESG assurance engagement is a structured, standards-driven process through which an independent assurance provider examines an organization's ESG disclosures and expresses a conclusion on their reliability. While each engagement is tailored to the specific organization and scope, the fundamental process follows a consistent eight-step workflow mandated by assurance standards such as ISAE 3000 (Revised) and ISSA 5000.

Understanding this process is valuable for organizations preparing for their first ESG assurance engagement, as well as for those seeking to improve data readiness and streamline interactions with their assurance provider. The process described here applies to both limited and reasonable assurance engagements, with the key differences being the depth and extent of procedures at each step.

The end-to-end process typically spans 6 to 14 weeks, depending on the scope, number of KPIs, geographic spread of operations, assurance level, and the organization's data readiness. Organizations that invest in thorough preparation -- particularly data documentation and internal quality reviews -- consistently experience smoother and faster assurance engagements.

Step 1: Scoping and Pre-Engagement

Every ESG assurance engagement begins with scoping. This is arguably the most consequential step, as it defines exactly what will -- and will not -- be covered by the assurance provider's conclusion. Errors in scoping lead to misaligned expectations, scope gaps, and potential regulatory non-compliance.

Defining the Subject Matter

The subject matter is the ESG information to be assured. Scoping decisions include:

• Which KPIs: Specific metrics (e.g., Scope 1 GHG emissions in tCO2e, total water withdrawal in megalitres, LTIFR, gender diversity percentages)
• Which entities: Parent company only, consolidated group, specific subsidiaries, or specific operational units
• Which locations: All sites or a defined subset (e.g., manufacturing facilities only, or sites contributing >5% of total emissions)
• Reporting period: Financial year, calendar year, or other defined period
• Reporting framework: GRI Standards, ESRS, BRSR, GHG Protocol, ISSB/IFRS S2

Assurance Level Selection

The scoping phase also confirms the assurance level:

• Limited assurance: Appropriate when regulatory requirements allow it, data systems are still maturing, or budget constraints apply
• Reasonable assurance: Required by BRSR Core, planned for CSRD (post-2028), and preferred by sophisticated investors
• Mixed levels: Some organizations obtain reasonable assurance on core KPIs (e.g., GHG emissions) and limited assurance on others (e.g., social metrics)

Engagement Letter

The scoping outcomes are formalized in an engagement letter (or terms of engagement) signed by both the assurance provider and the organization's management. This document includes the scope, assurance level, responsibilities of each party, intended use of the assurance statement, timeline, and fees.

Step 2: Criteria Selection

Suitable criteria are the benchmarks against which the ESG information is evaluated. The assurance provider must confirm that the chosen criteria are suitable -- meaning they are relevant, complete, reliable, neutral, and understandable.

Common ESG Reporting Criteria

When entity-developed criteria are used (e.g., the organization's own KPI definition sheets), the assurance provider evaluates whether those criteria meet the suitability requirements. Poorly defined criteria -- such as a KPI definition that is ambiguous about organizational boundary or calculation methodology -- will be flagged as a pre-engagement issue.

Step 3: Planning and Risk Assessment

Engagement planning transforms the agreed scope into a detailed work programme. The assurance provider develops a plan that addresses the risks of material misstatement in the ESG disclosures.

Risk Assessment

The assurance provider identifies risks that the ESG information could contain material misstatements, considering:

• Data complexity: KPIs with complex calculations (e.g., Scope 3 emissions using spend-based factors) carry higher inherent risk
• Data sources: Manual data collection processes are higher risk than automated systems with built-in controls
• Estimation uncertainty: Metrics relying on estimates, proxies, or extrapolation require additional scrutiny
• Organizational changes: Mergers, acquisitions, divestitures, or boundary changes can introduce reporting inconsistencies
• Historical findings: KPIs that had errors in previous periods receive heightened attention
• Materiality of contribution: Large-volume sites or KPIs with significant absolute values are prioritized

Materiality Determination

The assurance provider determines materiality thresholds for the ESG information. Unlike financial audit materiality (typically 1-5% of a financial benchmark), ESG materiality requires more nuanced judgement because:

• ESG metrics lack a single aggregating denominator like revenue or profit
• Stakeholder sensitivity may make small errors material for certain KPIs (e.g., safety fatalities, where even one misreported case is significant)
• Regulatory thresholds may define specific tolerance levels
• Different KPIs may have different materiality levels (5% of total emissions vs. absolute accuracy for diversity headcounts)

Procedure Design

Based on the risk assessment, the assurance provider designs specific procedures for each KPI or area of the sustainability report. Procedures are categorized as:

• Inquiry: Interviewing management, data owners, and site personnel
• Analytical procedures: Comparing reported data against prior periods, benchmarks, or expected values
• Inspection: Examining source documents, utility bills, meter readings, system reports
• Recalculation: Independently recalculating KPI values from source data
• Observation: Observing data collection processes, measurement equipment, and operational practices
• External confirmation: Obtaining independent confirmation from third parties (e.g., utility providers, waste contractors)

Step 4: Understanding the Entity

Before executing detailed testing, the assurance provider must develop a thorough understanding of how the organization collects, processes, aggregates, and reports ESG data. This step is essential for identifying where data quality risks exist and where controls are (or should be) operating.

Key Areas of Understanding

• ESG governance structure: Who is responsible for ESG data at each level (site, business unit, group)?
• Data collection processes: How is raw data captured at source (manual entry, meter readings, system integrations)?
• Data flow and aggregation: How does data move from source to reported figure (spreadsheets, ESG software platforms, ERP integrations)?
• Internal controls: What review, approval, and quality checks exist at each stage?
• Calculation methodologies: What formulas, emission factors, and conversion factors are used?
• System landscape: What IT systems support ESG data management (dedicated ESG platforms, ERP modules, manual spreadsheets)?

Walkthrough Procedures

The assurance provider typically performs "walkthroughs" for each significant data stream -- tracing a specific data point from its raw source (e.g., a natural gas meter reading) through each processing step (manual recording, data entry, conversion, aggregation) to the final reported figure. These walkthroughs reveal control gaps, data loss points, and potential error sources.

Step 5: Evidence Gathering and KPI-Level Testing

This is the core of the assurance engagement -- the phase where the assurance provider actively tests whether the reported ESG data is accurate, complete, and consistent with the stated criteria.

Testing Approaches by KPI Type

GHG Emissions (Scope 1 and 2)

• Recalculate emissions from source data (fuel purchase invoices, electricity bills, meter readings)
• Verify emission factors used against published sources (DEFRA, EPA, IPCC, national grid factors)
• Check organizational and operational boundary definitions
• Test consolidation logic (equity share vs. operational control)
• Perform analytical review comparing emissions intensity against prior periods and industry benchmarks

Water and Waste Metrics

• Inspect water bills and meter readings for sampled locations
• Verify waste disposal records against waste contractor invoices and manifests
• Recalculate recycling rates from underlying disposal category data
• Check consistency of unit conversions (e.g., cubic metres to megalitres)

Social Metrics (Workforce, Safety)

• Agree headcount and diversity data to HR system extracts
• Verify safety incident data against incident management system records
• Recalculate rates (LTIFR, TRIR) from underlying incident and hours-worked data
• Test the completeness of incident reporting through inquiry and sample corroboration

Governance and Qualitative Disclosures

• Inspect board meeting minutes for evidence of ESG oversight
• Verify policy existence and approval dates
• Test training completion claims against learning management system data
• Corroborate narrative disclosures with supporting evidence

Sampling Methodology

For organizations with large volumes of transactions or data points, the assurance provider applies statistical or judgemental sampling. Sample sizes are determined by:

• Population size and variability
• Assessed risk level for the KPI
• Assurance level (reasonable assurance requires larger samples)
• Acceptable detection risk
• Results from any analytical procedures already performed

Step 6: Site Visits and Sampling

For multi-site organizations, the assurance provider cannot test every data point at every location. Instead, site visits follow a risk-based selection approach.

Site Selection Criteria

• Materiality of contribution: Sites contributing the largest share of emissions, water use, or workforce are prioritized
• Risk factors: Sites with known data quality issues, manual processes, or recent operational changes
• Geographic spread: Ensuring representation across countries and regions
• Site type diversity: Including different operational types (manufacturing, offices, warehouses)
• Rotation: For ongoing engagements, rotating sites across assurance cycles to achieve broader coverage over time

On-Site Activities

During a site visit, the assurance team typically:

• Interviews site-level data owners and EHS personnel
• Inspects source documents (utility bills, meter records, waste manifests, safety logs)
• Observes data collection processes and measurement equipment
• Traces sample data points from source to the centrally reported figure
• Tests site-level internal controls (e.g., meter reading schedules, data entry review processes)
• Documents findings and communicates preliminary observations to site management

For reasonable assurance engagements, site visit coverage is typically more extensive (visiting 30-50% of material sites) compared to limited assurance (15-30% of material sites), though these percentages vary by engagement context.

Step 7: Forming Conclusions

After completing all planned procedures, the assurance provider evaluates the evidence gathered and forms their overall conclusion.

Evaluation of Misstatements

All identified errors and misstatements are documented and assessed:

• Corrected misstatements: Errors identified by the assurance provider that management corrects before finalizing the report
• Uncorrected misstatements: Errors that management chooses not to correct, which the assurance provider evaluates against materiality
• Judgemental misstatements: Differences in estimation approaches or methodological choices that could affect reported figures

The assurance provider accumulates uncorrected misstatements and evaluates whether their aggregate effect is material. If aggregate misstatements exceed materiality, the assurance conclusion must be modified (qualified, adverse, or disclaimer).

Conclusion Types

Step 8: Deliverables and Reporting

The ESG assurance engagement produces two primary deliverables:

Independent Assurance Statement

The assurance statement is the formal, public-facing report that communicates the provider's conclusion. It is typically published alongside the organization's sustainability report or annual report. Prescribed elements include:

• Title identifying it as an independent assurance report
• Addressee (typically the Board of Directors or Audit Committee)
• Description of the subject matter and scope
• Identification of the applicable criteria
• Description of the assurance standard used (ISAE 3000, ISSA 5000)
• Assurance level (limited or reasonable)
• Summary of procedures performed
• Responsibilities of management and the assurance provider
• The assurance conclusion
• Any emphasis of matter or other matter paragraphs
• Name and qualifications of the assurance provider
• Date and location

Management Letter

The management letter is a confidential document that provides management with detailed findings from the engagement. It typically includes:

• List of all identified misstatements (corrected and uncorrected)
• Observations on data quality issues, even if not material
• Internal control weaknesses and improvement recommendations
• Process improvement suggestions for future reporting cycles
• Observations on KPI definitions, boundary issues, or methodology concerns
• Best practice recommendations based on the provider's cross-client experience

The management letter is highly valuable for driving continuous improvement in ESG reporting quality. Organizations should treat it as an action plan for the next reporting cycle.

Typical Timeline

The following timeline represents a typical ESG assurance engagement. Actual timelines vary based on scope, complexity, and data readiness.

Organizations preparing for ESG assurance for the first time should allow an additional 4-6 weeks of internal preparation before the engagement begins, focusing on KPI documentation, data reconciliation, and evidence compilation.

Frequently Asked Questions

How long does an ESG assurance engagement take?

A typical ESG assurance engagement takes 6-12 weeks from kick-off to final report, depending on scope complexity, number of KPIs, sites to visit, and data readiness. Limited assurance engagements are generally faster (6-8 weeks) while reasonable assurance engagements require more time (8-14 weeks) due to extended testing and larger sample sizes.

What is an ESG assurance statement?

An ESG assurance statement (also called an independent assurance report) is a formal document issued by the assurance provider expressing their conclusion on whether the organization's ESG disclosures are free from material misstatement. It includes the scope of the engagement, criteria used, procedures performed, and the assurance conclusion in either limited or reasonable form.

What evidence is needed for ESG assurance?

ESG assurance requires evidence including: KPI definition and calculation methodology documents, source data (utility bills, meter readings, HR system extracts), data aggregation workbooks, internal control documentation, process narratives, organizational boundary documentation, emission factor sources, and any third-party data or certifications referenced in reported figures.

What is the difference between an assurance statement and a management letter?

The assurance statement is the formal public-facing document expressing the assurance conclusion. The management letter is a confidential document addressed to management containing detailed findings, observations, identified errors, control weaknesses, and recommendations for improvement. Both are standard deliverables from an ESG assurance engagement.

Do assurance providers visit our sites?

For multi-site organizations, the assurance provider will typically visit a sample of sites to verify data collection processes, inspect source documents, interview site personnel, and test local controls. The number and selection of sites depends on the total site population, materiality of each site's contribution, risk factors, and whether the engagement is limited or reasonable assurance.